# Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-1.3. #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Loading...
"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:6;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011350; rev:8;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"
<"; depth:120; classtype:bad-unknown; sid:2011355; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"
"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011812; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS exploit kit x/load/svchost.exe"; flow:established,to_server; content:"GET"; http_method; content:"load/svchost.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011906; rev:3;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:bad-unknown; sid:2011972; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:bad-unknown; sid:2011973; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2011988; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2012401; rev:11;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"MWL"; classtype:bad-unknown; sid:2012530; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:""; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:""; within:100; classtype:attempted-user; sid:2012624; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:3;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012941; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012942; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012943; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012944; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\">"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>400; classtype:bad-unknown; sid:2013093; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:bad-unknown; sid:2013094; rev:9;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|
\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:5;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2;) #alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|>"; fast_pattern; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"NACHA"; classtype:bad-unknown; sid:2013474; rev:5;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5;) #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:3;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:3;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:""; classtype:bad-unknown; sid:2013553; rev:6;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013652; rev:5;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:""; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10;) drop http $HOME_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ"; flow:established,from_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014611; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ"; flow:established,to_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014612; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix="; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; content:"/images.php?t=81118"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014639; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:1;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:4;) drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:11;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:trojan-activity; sid:2014665; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; classtype:trojan-activity; sid:2014705; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; classtype:trojan-activity; sid:2014706; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe|0d 0a|"; http_header; classtype:trojan-activity; sid:2014707; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer! $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:8;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; distance:0; http_uri; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:12;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"
 $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:6;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:5;)

drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2;)

drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2;)

drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1;)

drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:" $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:3;)

drop http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"|0d 0a|Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:2;)

drop http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; classtype:bad-unknown; sid:2014884; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:1;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:trojan-activity; sid:2014895; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:"Java/1."; http_user_agent; fast_pattern; content:"Mozilla"; http_user_agent;  depth:7; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:2;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:trojan-activity; sid:2014915; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; classtype:trojan-activity; sid:2014921; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:1;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:attempted-user; sid:2014923; rev:1;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:1;)

drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0;  reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:7;)

drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:6;)

drop  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:5;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:7;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:7;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:9; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:3;)

drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host|3a| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:trojan-activity; sid:2015516; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3;)

drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:11;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:6;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:bad-unknown; sid:2015670; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2015672; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:2;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:9;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:trojan-activity; sid:2015682; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:trojan-activity; sid:2015683; rev:2;)

drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:4;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015724; rev:10;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:2;)

drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:3;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015758; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3;)

drop http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:2;)

drop http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent;  content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:3;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:2;)

drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:4;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6;)

drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:trojan-activity; sid:2015884; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:8;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:""; distance:0; classtype:attempted-user; sid:2015905; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/P"; classtype:attempted-user; sid:2015906; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA -Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:bad-unknown; sid:2015907; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA - PII Phished"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; content:"&dob3="; http_client_body; classtype:bad-unknown; sid:2015908; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of America Phish Oct 1 M1"; flow:established,to_server; content:"POST"; http_method; content:"reason="; nocase; depth:7; fast_pattern; http_client_body; content:"Access_ID="; nocase; distance:0; http_client_body; content:"Current_Passcode="; nocase; distance:0; http_client_body; classtype:bad-unknown; sid:2015909; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:bad-unknown; sid:2015911; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:bad-unknown; sid:2015912; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:bad-unknown; sid:2015913; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:bad-unknown; sid:2015914; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U";  flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2015936; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG"; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; classtype:trojan-activity; sid:2015938; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:2;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"LabTech Agent"; http_user_agent; classtype:trojan-activity; sid:2015952; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015960; rev:12;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:11;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:9;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:11;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:11;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Account Phish"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; classtype:bad-unknown; sid:2015972; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:14;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:7;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7;)

drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Account Phish"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; classtype:bad-unknown; sid:2015980; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:5;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!"; classtype:bad-unknown; sid:2016024; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016052; rev:4;)

drop http $EXTERNAL_NET any ->  $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Account Phish"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; classtype:bad-unknown; sid:2016063; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016065; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:5;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:4;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:7;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:trojan-activity; sid:2016090; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:2;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2;)

drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:6;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:3;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:4;)

drop  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:3;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:trojan-activity; sid:2016129; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:3;)

drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|provide|08|yourtrap|03|com|00|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server;  content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:2;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016142; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:3;)

drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern:only; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:1;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:attempted-user; sid:2016166; rev:7;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:3;)

drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:3;)

drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])yaml\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:3;)

drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])symbol\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:3;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:4;)

drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"
"; classtype:bad-unknown; sid:2016191; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"Please wait..."; nocase; content:"
16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"Loading, Please Wait..."; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern:only; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:11;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:bad-unknown; sid:2016249; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:bad-unknown; sid:2016250; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:10;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - POST to myform.php"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; classtype:bad-unknown; sid:2016327; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:4;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern:only; content:").)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:trojan-activity; sid:2016348; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern:only; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:trojan-activity; sid:2016349; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:trojan-activity; sid:2016374; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016375; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016378; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016380; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:8;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016490; rev:12;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016491; rev:11;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016492; rev:12;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016493; rev:11;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:7;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern:only; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Payload Download"; flow:established,to_server; content:".exe"; http_uri; nocase; fast_pattern:only; content:"&h="; http_uri; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/Ui"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016499; rev:14;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java Zeroday"; flow:established,to_server; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016514; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016520; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:"Java/1."; fast_pattern:only; http_user_agent; classtype:bad-unknown; sid:2016521; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016522; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:trojan-activity; sid:2016524; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:trojan-activity; sid:2016525; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:trojan-activity; sid:2016526; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Download non Jar file"; flow:established,to_server; content:!".jar"; http_uri; nocase; content:!".jnlp"; http_uri; nocase; content:!".hpi"; http_uri; nocase; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.JavaNotJar; flowbits:noalert; classtype:bad-unknown; sid:2016539; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:").)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016549; rev:4;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2016551; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:10;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:trojan-activity; sid:2016562; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:9;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"get"; http_uri; content:"?src="; http_uri; fast_pattern; distance:0;content:"snet"; http_uri; distance:0; pcre:"/\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_user_agent; classtype:trojan-activity; sid:2016566; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016580; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016582; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016583; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:7;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:8;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:5;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:").)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:")).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:trojan-activity; sid:2016705; rev:19;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:13;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:13;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:13;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:13;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:13;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:12;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui"; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:12;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:8;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]*\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:4;) drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:4;) drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:trojan-activity; sid:2016721; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:11;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016733; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016735; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016736; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:11;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php|7C|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:")).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:trojan-activity; sid:2016751; rev:10;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016756; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016753; rev:10;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO PDF Payload Download"; flow:established,to_server; content:"User-Agent|3a 20|http|3a|//"; http_header; fast_pattern:only; pcre:"/^GET (?P(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016764; rev:15;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:3;) drop http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:trojan-activity; sid:2016786; rev:5;) drop http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern:only; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:trojan-activity; sid:2016787; rev:3;) drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:2;) drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:2;) drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:6;) drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; content:"SECID="; http_cookie; pcre:"/\?[0-9a-f]{6}$/U"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:7;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2016798; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; classtype:trojan-activity; sid:2016799; rev:3;) #alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P\d{2})(?P(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016804; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6;) drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2web."; nocase; distance:2; within:10; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:5;) drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; content:"|55 04 03|"; content:"*.onion."; nocase; distance:2; within:8; pcre:"/^(?:sh|lu|to)/Rsi"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; content:".jnlp"; nocase; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; classtype:trojan-activity; sid:2016811; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016828; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016832; rev:7;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:""; content:"[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:5;) drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:12;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016853; rev:15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016859; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016868; rev:14;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:14;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:11;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:").)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:11;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:11;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016930; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016931; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016933; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"
]*?>((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:trojan-activity; sid:2016943; rev:8;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:trojan-activity; sid:2016945; rev:8;) #alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016952; rev:8;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:7;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:4;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2016975; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:9;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:trojan-activity; sid:2016984; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:trojan-activity; sid:2017011; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017016; rev:7;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017017; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017018; rev:6;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:trojan-activity; sid:2017020; rev:10;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern:only; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017022; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern:only; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017023; rev:5;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:trojan-activity; sid:2017031; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2017041; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017042; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017043; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017044; rev:4;) drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:trojan-activity; sid:2017055; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1;) drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:").)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017064; rev:18;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Pony Loader default URI struct"; flow:to_server,established; content:"GET"; http_method; content:"/pony"; http_uri; fast_pattern:only; content:"/gate.php"; http_uri; nocase; classtype:trojan-activity; sid:2017065; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:2;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:trojan-activity; sid:2017071; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P[^\s,\x29]+)\s*?,\s*?(?P[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:3;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:trojan-activity; sid:2020984; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern:only; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:trojan-activity; sid:2020985; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:trojan-activity; sid:2020987; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern:only; pcre:"/\/street[1-5]\.php$/U"; classtype:trojan-activity; sid:2020988; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern:only; pcre:"/\/XV-\d+\.exe$/U"; classtype:trojan-activity; sid:2020989; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:trojan-activity; sid:2020990; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/U"; classtype:trojan-activity; sid:2020991; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020992; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:trojan-activity; sid:2020994; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:trojan-activity; sid:2021033; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:trojan-activity; sid:2021034; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:trojan-activity; sid:2021035; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern:only; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:trojan-activity; sid:2021036; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:trojan-activity; sid:2021037; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern:21,20; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:trojan-activity; sid:2021038; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern:only; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021059; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:trojan-activity; sid:2021064; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:trojan-activity; sid:2021089; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021126; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021127; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:trojan-activity; sid:2021157; rev:8;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021169; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:trojan-activity; sid:2021177; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"MICROSOFT WINDOWS SECURITY ALERT"; nocase; fast_pattern; content:"WARNING: VIRUS CHECK"; nocase; distance:0; classtype:trojan-activity; sid:2021181; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"WARNING: VIRUS CHECK"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:trojan-activity; sid:2021182; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"Advised System Support!"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:trojan-activity; sid:2021183; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"INTERNET BROWSER PROCESS WARNING ERROR"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:trojan-activity; sid:2021206; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"Norton Firewall Warning"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:trojan-activity; sid:2021207; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern:only; content:"long2str"; nocase; content:"str2long"; nocase; classtype:trojan-activity; sid:2021218; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021248; rev:7;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:2;) drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:trojan-activity; sid:2022364; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; classtype:trojan-activity; sid:2022365; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2022366; rev:2;) #alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Extension Phishing HTTP Request"; flow:to_server,established; content:"Host|3a| chrome-extension."; http_header; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022373; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; content:"GET"; http_method; content:"/tabDialog.html?dialog=login"; http_uri; fast_pattern:only; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022374; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern:only; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; classtype:trojan-activity; sid:2022409; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:trojan-activity; sid:2022410; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,evil.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2022464; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,evil.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:trojan-activity; sid:2022465; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Keitaro TDS Redirect"; flow:established,from_server; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; nocase; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/Hs"; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; classtype:bad-unknown; sid:2022466; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload Feb 02 (1)"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022484; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; content:"GET"; http_method; content:"?rid="; http_uri; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/Ui"; reference:url,getgophish.com; classtype:trojan-activity; sid:2022486; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; content:"POST"; http_method; content:"?rid="; http_header; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/Hi"; reference:url,getgophish.com; classtype:trojan-activity; sid:2022487; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; content:"/?keyword="; http_uri; fast_pattern:only; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/U"; classtype:trojan-activity; sid:2022493; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M1"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"id="; depth:3; nocase; http_client_body; content:"&password="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022497; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M2"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"fName="; depth:6; nocase; http_client_body; content:"&lName="; nocase; http_client_body; distance:0; content:"&ZIPCode="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022498; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M3"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"ccNum="; depth:6; nocase; http_client_body; content:"&NameOnCard="; nocase; http_client_body; distance:0; content:"&CVV="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022499; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/U"; classtype:trojan-activity; sid:2022500; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; content:"MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"="; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/U"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2022503; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:trojan-activity; sid:2022525; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:trojan-activity; sid:2022526; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022527; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:trojan-activity; sid:2022528; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:trojan-activity; sid:2022530; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex DL Pattern Feb 18 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe?."; http_uri; fast_pattern:only; pcre:"/\.exe\?\.\d+$/U"; content:"MSIE 7.0|3b| Windows NT"; http_user_agent; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022549; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/Ui"; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!".bitdefender.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022550; rev:15;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:2;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:3;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M1 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"helpdesk"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022575; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M2 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorcode"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022576; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Obfuscation Mar 1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern:31,20; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022578; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:1;) drop tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:1;) drop tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M1 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorfound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022591; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M2 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unattendedfile"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022592; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M3 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"internetsituation"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022593; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing - Data URI Inline Javascript Mar 7"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; distance:0; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022597; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022602; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022603; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Enom Phish Mar 8"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:trojan-activity; sid:2022604; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022605; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:trojan-activity; sid:2022606; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:trojan-activity; sid:2022607; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:trojan-activity; sid:2022608; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022615; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Apple Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022616; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible USAA Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022617; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022618; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:trojan-activity; sid:2022619; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:13; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022622; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"suspiciousactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022625; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorunauthorized"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022631; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"drivercrashed"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022632; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"computer-is-locked"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022633; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unauthorized-transaction"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022648; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; content:"GET"; http_method; content:"/dana/home.php"; http_uri; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"MSIE 7.0"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/home\.php$/U"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; classtype:trojan-activity; sid:2022658; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:4;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"diskissue"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022690; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"avirus"; fast_pattern; distance:0; nocase; content:!"|07|spotify|03|com"; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022691; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:trojan-activity; sid:2022695; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"callasap"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022696; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:trojan-activity; sid:2022697; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:2;) drop tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputer"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022739; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unusualactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022740; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoursystem"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022741; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"howcanwehelp"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022742; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"bluescreen"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022743; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"cloud-on"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022744; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"call-now"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022745; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022770; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022771; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern:only; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:trojan-activity; sid:2022772; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern:only; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:trojan-activity; sid:2022774; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022802; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Mozilla/4.0|20|(compatible|3b|)"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; content:"GET"; http_method; content:"/system/"; depth:8; http_uri; nocase; fast_pattern; pcre:"/^\/system\/(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ui"; content:!"Referer|3a 20|"; http_header; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:trojan-activity; sid:2022853; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern:6,20; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:trojan-activity; sid:2022854; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:trojan-activity; sid:2022855; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022856; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022857; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:misc-activity; sid:2022858; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:trojan-activity; sid:2022859; rev:5;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; content:!"sync-eu.exe.bid"; http_header; classtype:trojan-activity; sid:2022894; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022895; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022896; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern:only; content:"campaigns"; http_cookie; classtype:trojan-activity; sid:2022904; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern:only; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:trojan-activity; sid:2022909; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern:only; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:trojan-activity; sid:2022910; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M1"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Alert!"; nocase; http_header; distance:0; fast_pattern; content:"has been blocked"; http_header; nocase; classtype:trojan-activity; sid:2022925; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:trojan-activity; sid:2022926; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; content:"GET"; http_method; content:"your-computer-is-locked-"; nocase; http_uri; fast_pattern; content:"your-computer-is-locked-"; http_uri; distance:0; nocase; classtype:trojan-activity; sid:2022927; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:trojan-activity; sid:2022928; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:trojan-activity; sid:2022954; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2022955; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:2;) drop http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:trojan-activity; sid:2022962; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Dropbox Phish Nov 20"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"mailtype="; depth:9; nocase; http_client_body; fast_pattern; content:"&Email"; distance:0; nocase; http_client_body; content:"&Passwd"; distance:0; nocase; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022967; rev:2;) drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish Jul 21 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&forgotPassword="; nocase; distance:0; http_client_body; content:"&lat="; nocase; distance:0; http_client_body; content:"&userName="; nocase; distance:0; http_client_body; fast_pattern; content:"&password="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022978; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish Jul 21 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&bankId="; fast_pattern; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&q1="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022979; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M1"; flow:to_server,established; content:"GET"; http_method; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern:27,20; nocase; http_uri; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2022980; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022981; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Settings Phishing Landing Jul 22"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:trojan-activity; sid:2024098; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server;content:!".exe"; http_uri; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/U"; content:"|3a 20|Microsoft BITS"; http_header; fast_pattern:only; content:!".microsoft.com|0d 0a|"; http_header; nocase; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; content:"yatutuzebil"; http_cookie; classtype:trojan-activity; sid:2022990; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:trojan-activity; sid:2022991; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern:2,20; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022992; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:trojan-activity; sid:2022993; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:trojan-activity; sid:2022994; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:2;) drop tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023036; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:trojan-activity; sid:2023037; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:trojan-activity; sid:2023038; rev:2;) drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:trojan-activity; sid:2023039; rev:1;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2023040; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:trojan-activity; sid:2023041; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish Aug 9 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023042; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish Aug 9 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"holdername="; nocase; depth:11; fast_pattern; http_client_body; content:"&numcard"; nocase; distance:0; http_client_body; content:"&ccv"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023043; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Suspended Account Phishing Landing Aug 9"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Log in to my account"; nocase; fast_pattern:7,20; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:trojan-activity; sid:2023044; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel Online Phishing Landing Aug 9"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; flowbits:set,ET.GenericPhish_Excel; classtype:trojan-activity; sid:2023045; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023046; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; flowbits:set,ET.GenericPhish_Adobe; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023048; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:trojan-activity; sid:2023051; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:trojan-activity; sid:2023052; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023055; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023056; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:trojan-activity; sid:2023057; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:trojan-activity; sid:2023058; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023061; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing Aug 15 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023063; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023064; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2023068; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:trojan-activity; sid:2023069; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023072; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing Aug 17 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:trojan-activity; sid:2023079; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern:only; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:trojan-activity; sid:2023080; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2023180; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023181; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern:only; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:trojan-activity; sid:2023186; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:trojan-activity; sid:2023187; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M1 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:trojan-activity; sid:2023235; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M2 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:trojan-activity; sid:2023236; rev:2;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Sept 15 2016"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"issuefound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00/Rsi"; classtype:trojan-activity; sid:2023237; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:trojan-activity; sid:2023238; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; classtype:trojan-activity; sid:2023239; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:2;) drop http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET CURRENT_EVENTS Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023249; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:4;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023271; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023272; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023273; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023274; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023275; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023276; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023277; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023278; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023279; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023280; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023281; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023282; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023283; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023284; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023285; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern:only; classtype:trojan-activity; sid:2023302; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"q="; http_uri; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023401; rev:5;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023482; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023487; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023488; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Cartasi Phishing Domain Nov 8"; flow:to_server,established; content:"GET"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023495; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern:only; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:trojan-activity; sid:2023547; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:6;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023586; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023587; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; content:"GET"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023596; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Common Phishing Redirect Dec 13 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Page Redirection"; nocase; fast_pattern:3,20; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:trojan-activity; sid:2023638; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:trojan-activity; sid:2023657; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023697; rev:4;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023698; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:trojan-activity; sid:2023712; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023742; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern:only; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:trojan-activity; sid:2023743; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023744; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:trojan-activity; sid:2023745; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023748; rev:3;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Warning|3a|"; nocase; http_header; distance:0; fast_pattern; content:"Call Microsoft"; http_header; nocase; classtype:trojan-activity; sid:2023751; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:trojan-activity; sid:2023752; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:trojan-activity; sid:2023757; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023758; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"locale.x="; depth:9; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023760; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023770; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023771; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:trojan-activity; sid:2023772; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023773; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023774; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Font_Update.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/Hmi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:trojan-activity; sid:2023817; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023820; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023821; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023822; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023823; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; classtype:trojan-activity; sid:2023824; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023825; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023826; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023827; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023828; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023829; rev:3;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 01"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|account-google|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023833; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 02"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|aramex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023834; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 03"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|device-activation|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023835; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 04"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dropbox-service|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023836; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 05"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dropbox-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023837; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 06"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dropboxsupport|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023838; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 07"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-mail|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023839; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 08"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|fedex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023840; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 09"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023841; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googledriver-sign|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023842; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|googledrive-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023843; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|google-maps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023844; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googlesecure-serv|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023845; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlesignin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023846; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleverify-signin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023847; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mailgooglesign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023848; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023849; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|secure-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023850; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|security-myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023851; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|verification-acc|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023852; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dropbox-verfy|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023853; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fedex-s|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023854; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|watchyoutube|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023855; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|verification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023856; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|securityteam-notify|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023857; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|secure-alert|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023858; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|quota-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023859; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 28"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|notification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023860; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|fedex-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023861; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 30"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|docs-mails|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023862; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 31"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|restricted-videos|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023863; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 32"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|dropboxnotification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023864; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 33"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|moi-gov|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023865; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 34"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|activate-google|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023866; rev:1;) drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 35"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|googlemaps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023867; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:trojan-activity; sid:2023869; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern:only; classtype:trojan-activity; sid:2023878; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern:only; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:trojan-activity; sid:2023879; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023880; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern:13,20; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:trojan-activity; sid:2023889; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:trojan-activity; sid:2024000; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:trojan-activity; sid:2024003; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"self.location.replace("; within:100; fast_pattern:2,20; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2024007; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:"location|3a 20|"; http_header; fast_pattern; content:"|2f 3f|"; distance:32; within:2; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024008; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024011; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024012; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024013; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024014; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/signin"; content:"/signin|0d 0a|"; http_header; fast_pattern; content:"_token="; depth:7; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"|25|40"; nocase; distance:0; http_client_body; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024015; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"location|3a 20|"; nocase; http_header; content:".php?cmd=_update-information&account_bank="; nocase; http_header; fast_pattern:22,20; distance:0; content:"&dispatch="; distance:32; within:10; nocase; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; classtype:trojan-activity; sid:2024016; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:trojan-activity; sid:2024017; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; content:"GET"; http_method; content:"/webapps/"; http_uri; content:"/websrc"; distance:5; within:7; http_uri; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/Ui"; classtype:trojan-activity; sid:2024018; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; file_data; content:"<title>"; nocase; fast_pattern; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024020; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024032; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?model="; nocase; http_uri; content:"&brand="; nocase; distance:0; http_uri; content:"&osversion="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; content:"&voluumdata=BASE64"; nocase; distance:0; http_uri; fast_pattern; classtype:trojan-activity; sid:2024033; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:trojan-activity; sid:2024037; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; content:"Content-Disposition|3a|"; nocase; http_header; content:"|43 68 72 ce bf 6d 65|"; nocase; http_header; fast_pattern:only; content:"|66 ce bf 6e 74|"; nocase; http_header; content:"|2e 65 78 65|"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024040; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"System Virus Alert"; nocase; fast_pattern:5,20; content:"|3a|-webkit-full-screen"; nocase; distance:0; classtype:trojan-activity; sid:2024042; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024046; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"®istrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024047; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024048; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; content:"QMvXcJ"; http_uri; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024049; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024050; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024051; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024052; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:trojan-activity; sid:2024053; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:trojan-activity; sid:2024054; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern:only; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:trojan-activity; sid:2024055; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:trojan-activity; sid:2024059; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024060; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024061; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern:only; classtype:trojan-activity; sid:2024092; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:trojan-activity; sid:2024093; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024100; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024101; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024102; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024103; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha6="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024328; rev:3;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024124; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024125; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024126; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024127; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024128; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024129; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024130; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024131; rev:2;) drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024132; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024167; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern:only; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024168; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download"; flow:established,to_server; content:"e=cve"; http_uri; fast_pattern:only; pcre:"/[&?]e=cve\d{8}(?:&|$)/U"; pcre:"/=[a-f0-9]{32,}(?:&|$)/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2024180; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"gender="; depth:7; nocase; http_client_body; fast_pattern; content:"&name1="; nocase; distance:0; http_client_body; content:"&name2="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024184; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024185; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024186; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024187; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024188; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; fast_pattern:9,20; nocase; classtype:trojan-activity; sid:2024197; rev:2;) drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024198; rev:1;) drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:trojan-activity; sid:2024199; rev:1;) drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:trojan-activity; sid:2024200; rev:1;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; classtype:trojan-activity; sid:2024229; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024231; rev:2;) drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024232; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.bleepingcomputer.com/virus-removal/hoeflertext-font-wasnt-found-and-chrome-font-pack-guide; classtype:trojan-activity; sid:2024238; rev:2;) drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert"; fast_pattern:7,20; nocase; content:"