alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; dns_query; content:".ez-dns.com"; fast_pattern; nocase; endswith; metadata: former_category HUNTING; classtype:bad-unknown; sid:2013845; rev:5; metadata:created_at 2011_11_04, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2014_05_27, updated_at 2019_10_07;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With eval Function - Possibly Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"eval|28|"; nocase; distance:0; reference:url,www.w3schools.com/jsref/jsref_eval.asp; classtype:bad-unknown; sid:2011506; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 1"; flow:established,to_server; content:"/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc"; nocase; http_uri; fast_pattern; content:"name="; nocase; http_client_body; pcre:"/^(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/PRi"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025748; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_26, updated_at 2018_07_18;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF)"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|47 49 46 38 39 61 10 00 10 00 91 00 00 f7 f7 f7 ff ff ff c0 c0 c0 00 00 00 21 f9 04 00 00 00 00 5f 05 95 95 96 96 96 96 92 92 92 92 6d 92 92 92 2a 2a 2a 2a 2a 2a 2a 2a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a|"; depth:92; metadata: former_category MALWARE; classtype:command-and-control; sid:2025457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, performance_impact Moderate, updated_at 2018_04_02;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; content:"varchar("; http_uri; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, updated_at 2016_10_25;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld INSERT"; flow:established,to_server; content:"/user.php?"; http_uri; nocase; content:"passwordOld="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006017; classtype:web-application-attack; sid:2006017; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; content:"307"; http_stat_code; content:"Location|3a 20|file|3a 2f 2f|"; http_header; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:3; metadata:created_at 2015_04_23, updated_at 2019_10_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DLink DNS 320 Remote Code Execution (CVE-2019-16057)"; flow:established,to_server; content:"GET"; http_method; content:"/cgi-bin/login_mgr.cgi"; http_uri; fast_pattern; content:"cmd|3d|login"; http_uri; distance:0; content:"&port="; http_uri; distance:0; pcre:"/^\d{2,5}+(?!\&|\d)/RU"; metadata: former_category EXPLOIT; reference:cve,2019-16057; reference:url,blog.cystack.net/d-link-dns-320-rce/; classtype:attempted-admin; sid:2028603; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2019_09_18, performance_impact Low, updated_at 2019_09_18;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 SELECT"; flow:established,to_server; content:"/searchoption.asp?"; http_uri; nocase; content:"cost1="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005742; classtype:web-application-attack; sid:2005742; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4; metadata:created_at 2011_09_01, updated_at 2011_09_01;) alert tcp [46.4.176.48,46.4.183.104,46.4.217.100,46.4.233.104,46.4.34.242,46.4.49.62,46.4.55.177,46.4.58.90,46.4.78.148,46.4.88.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522575; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/tde_busca/processaPesquisa.php?"; nocase; http_uri; content:"pesqExecutada="; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012990; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_06_10, updated_at 2016_07_01;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query Domain .bit"; dns_query; content:".bit"; nocase; endswith; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:4; metadata:created_at 2013_10_30, updated_at 2019_09_28;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls_cert_subject; content:"CN=ww1-filecloud.com"; nocase; fast_pattern; endswith; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:command-and-control; sid:2027472; rev:2; metadata:deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2019_06_14, malware_family MageCart, performance_impact Low, updated_at 2019_09_28;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piranha default passwd attempt"; flow:to_server,established; uricontent:"/piranha/secure/control.php3"; content:"Authorization\: Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; reference:url,doc.emergingthreats.net/2002331; classtype:attempted-recon; sid:2002331; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;) # alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSPkgDL.1"; nocase; distance:0; content:"DownloadAndInstall"; nocase; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,secunia.com/advisories/36679; reference:url,doc.emergingthreats.net/2010190; classtype:attempted-user; sid:2010190; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_29, updated_at 2013_07_29;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in TLS SNI)"; flow:established,to_server; content:"|00 00 0c|handbrake.cc"; fast_pattern; nocase; metadata: former_category TROJAN; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024893; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_20, malware_family Proton, performance_impact Moderate, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100532; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"gccxqpuuylioxoip"; depth:16; fast_pattern; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_02, malware_family Ransomware, performance_impact Low, updated_at 2019_09_03;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007216; classtype:web-application-attack; sid:2007216; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII"; flow:established,to_server; content:"/xNews.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005162; classtype:web-application-attack; sid:2005162; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns_query; content:"emptiness.web2tor.cf"; nocase; endswith; metadata: former_category MALWARE; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027852; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_08_09, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_smartformer/smartformer.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/95477/joomlasmartformer-rfi.txt; classtype:web-application-attack; sid:2012666; rev:3; metadata:created_at 2011_04_11, updated_at 2011_04_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HighTide trojan Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?"; http_uri; depth:2; content:"Trident/5.0|29 0d 0a|"; fast_pattern; http_header; content:"Referer|3A| http|3A|//www.google.com/|0D 0A|"; http_header; pcre:"/^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$/U"; metadata: former_category MALWARE; reference:md5,6e59861931fa2796ee107dc27bfdd480; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:command-and-control; sid:2019113; rev:2; metadata:created_at 2014_09_04, updated_at 2014_09_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious SSN Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; content:"POST"; http_method; content:"&ssn="; nocase; http_client_body; metadata: former_category POLICY; classtype:trojan-activity; sid:2026908; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2019_02_13, updated_at 2019_02_13;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; content:"Mozilla/9"; depth:9; nocase; http_user_agent; classtype:bad-unknown; sid:2016694; rev:4; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"UserID="; depth:7; nocase; http_client_body; fast_pattern; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:credential-theft; sid:2024569; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_12_13, updated_at 2017_08_16;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:pup-activity; sid:2001452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PcClient Backdoor Checkin"; flowbits:isset,ET.PcClient; flow:established,to_server; dsize:248; content:"|52 0d 12 12|"; depth:4; flowbits:noalert; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2009239; classtype:command-and-control; sid:2009239; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; metadata: former_category CURRENT_EVENTS; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024134; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2017_03_31, updated_at 2017_03_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; content:"IE/1.0"; http_user_agent; depth:6; isdataat:!1,relative; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_10_11;) alert dns $HOME_NET any -> any any (msg:"ET PHISHING Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; dns_query; content:"secure.netsolhost.com"; depth:21; nocase; endswith; fast_pattern; metadata: former_category PHISHING; classtype:social-engineering; sid:2022136; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2015_11_24, updated_at 2019_09_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8000:9000 (msg:"ET MALWARE Win32/RaaLoader CnC Activity"; flow:established,to_server; dsize:12; content:"|12 10 00 00 00 00 00 00 00 00 00 00|"; depth:12; fast_pattern; metadata: former_category MALWARE; reference:md5,16b4b114f6ccfff008de265d535656a2; classtype:command-and-control; sid:2029731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_24, malware_family RaaLoader, updated_at 2020_03_24;) alert ip [192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.46.192.0/18,192.54.110.0/24,192.67.16.0/24,192.88.74.0/24,192.96.146.0/24,192.100.142.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23,192.133.3.0/24,192.152.194.0/24,192.154.11.0/24,192.158.51.0/24,192.160.44.0/24,192.161.80.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2751; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2020_03_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"act="; depth:4; http_client_body; content:"&atom="; distance:0; fast_pattern; http_client_body; content:"&id="; distance:0; http_client_body; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; depth:38; http_user_agent; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:command-and-control; sid:2019653; rev:3; metadata:created_at 2014_11_05, updated_at 2014_11_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M2"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"data.php?info="; fast_pattern; pcre:"/^[A-Za-z0-9\?=]{25,}$/Rsi"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; metadata: former_category MALWARE; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_01_24, malware_family Ransomware, updated_at 2020_01_24;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ASCII"; flow:established,to_server; content:"/cgi-bin/reorder2.asp?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004467; classtype:web-application-attack; sid:2004467; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET MALWARE Cythosia V2 DDoS WebPanel Hosted Locally"; flow:established,from_server; content:"|3C|title|3E|Cythosia|20|V2|20|Bot|20|Webpanel|20 2D 20|Login|3C 2F|title|3E|"; nocase; reference:url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/; classtype:successful-admin; sid:2014118; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; distance:0; endswith; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2019_09_28;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Image Request"; flow:established,to_server; content:"/upload/mp3.mp3"; http_uri; content:" MSIE 6.0|3b| "; http_user_agent; pcre:"/^Host\x3a\s*(\d{1,3}\.){3}\d{1,3}\r$/Hm"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016370; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns_query; content:"bigboss.x24hr.com"; nocase; fast_pattern; endswith; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"USER"; nocase; http_uri; pcre:"/SELECT[^a-z]+USER/Ui"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2010963; classtype:web-application-attack; sid:2010963; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) # alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;) # alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_29, malware_family Flokibot, updated_at 2016_11_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegHelper Installation"; flow:established,to_server; content:"GET"; nocase; http_method; content:"start="; http_uri; content:"&Edition="; http_uri; content:"&RHRTVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008376; classtype:trojan-activity; sid:2008376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; metadata: former_category CURRENT_EVENTS; classtype:social-engineering; sid:2021540; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2015_07_27, updated_at 2017_08_17;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php DELETE"; flow:established,to_server; content:"/game_listing.php?"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006482; classtype:web-application-attack; sid:2006482; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021121; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_20, updated_at 2016_07_01;) alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 3"; dsize:69; content:"|00 00 00 00 02 E8 78 31 C6 55 9A 13 FC AB DB 75 9B A5 B1 D6 05 F2 3A 72 FF 04 B5 9F 7F 5A 8B 12 56 F2 CA 01 5E|"; startswith; fast_pattern; metadata: former_category MALWARE; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029044; rev:1; metadata:affected_product Linux, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2019_11_21, malware_family Roboto, performance_impact Low, updated_at 2019_11_21;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key INSERT"; flow:established,to_server; content:"/coupon_detail.asp?"; http_uri; nocase; content:"key="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005951; classtype:web-application-attack; sid:2005951; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;) alert tcp [92.117.174.133,92.117.47.131,92.117.96.166,92.118.47.206,92.137.154.128,92.137.3.58,92.139.56.67,92.142.88.163,92.148.159.136,92.154.11.246] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 777"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522776; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; content:"/2p/"; http_uri; content:".exe"; fast_pattern; http_uri; pcre:"/^\x2F2p\x2F[a-z]{1,2}\.exe$/U"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:3; metadata:created_at 2014_04_11, updated_at 2014_04_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow:to_client,established; content:"Initializing Virus Protection System..."; classtype:bad-unknown; sid:2011343; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; content:"/wp-content/uploads/optpress/images_"; http_uri; fast_pattern:16,20; content:".php"; http_uri; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:3; metadata:created_at 2013_12_13, updated_at 2017_11_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rostpay Downloader User-Agent"; flow:established,to_server; content:"Rostpay Downloader"; nocase; depth:18; endswith; http_user_agent; metadata: former_category TROJAN; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_16, updated_at 2019_09_28;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp [104.244.72.115,104.244.72.128,104.244.72.191,104.244.72.22,104.244.72.239,104.244.72.241,104.244.72.99,104.244.73.126,104.244.73.192,104.244.73.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520002; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M3"; flow:established,to_client; file_data; content:"Wells Fargo |3b|Sign On to View Your Accounts"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"disableSubmitsCollectUserPrefs"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:social-engineering; sid:2025294; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_02, updated_at 2018_02_02;) alert ip [1.119.0.21,1.119.129.16,1.119.150.178,1.160.57.203,1.160.95.91,1.161.112.172,1.162.144.140,1.162.144.32,1.162.144.76,1.163.212.226,1.163.8.126,1.165.189.4,1.168.19.113,1.169.65.108,1.170.34.60,1.171.43.160,1.172.55.29,1.173.230.74,1.173.40.22,1.173.92.31,1.174.132.88,1.174.27.44,1.174.84.177,1.174.93.243,1.175.167.1,1.175.226.103,1.175.67.11,1.175.93.92,1.176.134.253,1.179.128.124,1.179.173.2,1.181.92.123,1.186.220.253,1.186.239.69,1.186.98.230,1.186.98.236,1.189.10.81,1.190.229.150,1.190.29.247,1.192.131.153,1.192.159.87,1.192.192.4,1.192.192.6,1.192.192.8,1.192.195.5,1.192.195.8,1.196.196.194,1.196.216.140,1.198.7.61,1.199.252.200] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 1"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:56258; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2020_03_25;) # alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_22, updated_at 2016_09_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; content:"VirusProtectPro"; http_user_agent; depth:15; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/2007617; classtype:pup-activity; sid:2007617; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2019_10_11;) alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; content:".php?micro="; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 2.0.50727)"; depth:80; http_user_agent; fast_pattern:25,20; metadata: former_category MALWARE; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020813; rev:3; metadata:created_at 2015_03_31, updated_at 2015_03_31;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid SELECT"; flow:established,to_server; content:"/simplog/archive.php?"; http_uri; nocase; content:"pid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005627; classtype:web-application-attack; sid:2005627; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/annonce_detail.php?"; nocase; http_uri; content:"annonce="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013230; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;) alert tcp [2604:9a00:2010:a08d:0010:0000:0000:0023,2604:a880:0001:0020:0000:0000:02f0:a001,2604:a880:0001:0020:0000:0000:24a0:0001,2604:a880:0002:00d0:0000:0000:0503:1001,2604:a880:0002:00d0:0000:0000:2059:6001,2604:a880:0002:00d0:0000:0000:23c6:2001,2604:a880:0002:00d0:0000:0000:539e:a001,2604:a880:0400:00d0:0000:0000:1516:c001,2604:a880:0800:0010:0000:0000:063b:c00a,2604:a880:0800:00a1:0000:0000:002e:1001] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 437"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522436; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_22, updated_at 2019_09_28;) alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a .tk domain - Likely Hostile"; dns_query; content:".tk"; fast_pattern; nocase; endswith; content:!"www.google.tk"; metadata: former_category DNS; classtype:bad-unknown; sid:2012811; rev:6; metadata:created_at 2011_05_15, updated_at 2019_09_28;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; metadata: former_category CURRENT_EVENTS; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017530; rev:2; metadata:created_at 2013_09_30, updated_at 2013_09_30;) alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic.exe"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2027181; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2019_04_10, updated_at 2019_04_16;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/ch_readalso.php?"; nocase; uricontent:"read_xml_include="; nocase; pcre:"/read_xml_include=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29251; reference:url,xforce.iss.net/xforce/xfdb/42459; reference:url,milw0rm.com/exploits/5624; reference:url,doc.emergingthreats.net/2010099; classtype:web-application-attack; sid:2010099; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; metadata: former_category EXPLOIT_KIT; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_03, updated_at 2013_07_03;) alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2017"; dns_query; content:"ab8cee60c2d.com"; endswith; metadata: former_category TROJAN; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, updated_at 2019_09_28;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/qlib/smarty.inc.php?"; nocase; uricontent:"CONFIG[gameroot]="; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009504; classtype:web-application-attack; sid:2009504; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; content:"POST"; http_method; content:"/webpost.cgi"; http_uri; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; http_client_body; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/PRi"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:2; metadata:created_at 2016_04_05, updated_at 2016_04_05;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:exploit-kit; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_06_02, malware_family Exploit_Kit_Terror, updated_at 2017_06_02;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007053; classtype:web-application-attack; sid:2007053; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"|0d 0a 0d 0a|env="; fast_pattern; pcre:"/^env=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/P"; http_header_names; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; http_protocol; content:"HTTP/1.0"; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:3; metadata:created_at 2015_12_18, updated_at 2020_03_06;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password ASCII"; flow:established,to_server; content:"/login.asp?"; http_uri; nocase; content:"password="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005031; classtype:web-application-attack; sid:2005031; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; content:"iTunes/10.6."; http_user_agent; depth:12; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/Hm"; flowbits:set,ET.iTunes.vuln; flowbits:noalert; classtype:policy-violation; sid:2014954; rev:10; metadata:created_at 2012_06_25, updated_at 2019_10_11;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns_query; content:"microsoftupdateserver.net"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:5; metadata:created_at 2014_12_03, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell JPEG Upload"; flow:established,to_server; content:"POST"; http_method; content:"|FF D8 FF E0|"; http_client_body; depth:4; content:"JFIF"; http_client_body; distance:2; within:4; content:"<%eval|20|request|28 22|"; http_client_body; distance:0; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2027737; rev:1; metadata:attack_target Web_Server, deployment Perimeter, tag WebShell, signature_severity Major, created_at 2019_07_22, performance_impact Low, updated_at 2019_07_22;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment INSERT"; flow:established,to_server; content:"/viewimage.php?"; http_uri; nocase; content:"editcomment="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004620; classtype:web-application-attack; sid:2004620; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns_query; content:"touristsila1.info"; endswith; metadata: former_category TROJAN; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026857; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_01_25, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"GET"; http_method; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; http_uri; content:"modulename="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_12_30, updated_at 2019_09_27;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimemo Activity"; flow:established,to_server; content:"mainsettings/settings.sol"; http_uri; content:" MSIE 7.0|3b|"; http_user_agent; classtype:trojan-activity; sid:2016515; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;) alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns_query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}200[0-9]{2}\./"; metadata: former_category POLICY; classtype:policy-violation; sid:2026486; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2019_09_28;) # alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/main.inc.php?"; nocase; http_uri; content:"mj_config[src_path]="; nocase; http_uri; pcre:"/mj_config\[src_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009196; classtype:web-application-attack; sid:2009196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bit controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bit"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.com/files/118943/Joomla-Bit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016232; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; file_data; content:""; nocase; fast_pattern; content:" $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; classtype:web-application-attack; sid:2008777; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_27, updated_at 2015_10_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?logins="; content:"&s="; distance:0; http.request_body; content:"host="; depth:5; content:"&bk="; distance:0; http.header_names; content:!"Referer"; metadata: former_category MALWARE; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_13, updated_at 2020_03_13;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; content:"/polls.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/U"; metadata: former_category MALWARE; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:3; metadata:created_at 2014_10_28, updated_at 2019_10_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig APT PowDesk Powershell Check"; flow:established,to_server; content:"GET"; http_method; content:"/reclaimlandesk.php?devicename="; http_uri; fast_pattern; content:"&result="; http_uri; distance:0; content:!"Missing%20LANDESK"; http_raw_uri; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,twitter.com/ClearskySec/status/1209055280090288131; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:command-and-control; sid:2029189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_23, updated_at 2020_01_13;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; content:"/product_review.php?"; nocase; http_uri; content:"so="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; metadata: former_category MALWARE; reference:url,www.threatexpert.com/report.aspx?md5=090986b0e303779bde1ddad3c65a9d78; classtype:command-and-control; sid:2014003; rev:3; metadata:created_at 2011_08_15, updated_at 2011_08_15;) alert ip [86.75.114.81,86.90.141.153,86.90.55.201,86.91.191.103,86.98.73.18,86.99.43.239,87.10.100.226,87.103.214.172,87.107.124.36,87.110.185.78,87.117.45.19,87.126.80.52,87.16.92.225,87.18.209.135,87.200.7.118,87.20.105.160,87.20.168.119,87.201.130.190,87.202.65.112,87.205.11.100,87.21.172.101,87.21.245.125,87.214.104.138,87.214.182.26,87.214.234.168,87.220.115.48,87.225.89.217,87.227.210.202,87.236.212.123,87.236.27.177,87.237.234.149,87.241.106.15,87.241.135.252,87.241.138.12,87.241.138.66,87.241.169.246,87.241.173.213,87.244.235.27,87.245.170.34,87.246.128.113,87.246.33.219,87.248.188.181,87.249.36.30,87.249.4.2,87.251.112.117,87.251.166.70,87.251.172.77,87.251.188.8,87.251.247.238,87.251.252.164] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 77"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403376; rev:56258; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2020_03_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:")).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2014_07_08, updated_at 2019_10_07;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:"WHCC"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003925; classtype:trojan-activity; sid:2003925; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:exploit-kit; sid:2011544; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Expiro.CD Check-in"; flow:established,to_server; content:"/gate.php?user="; http_uri; fast_pattern; content:"&id="; http_uri; nocase; content:"&type="; http_uri; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/U"; content:!"User-Agent|3a|"; http_header; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:3; metadata:created_at 2014_03_12, updated_at 2019_10_07;) alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; dns_query; content:"capsnit.com"; nocase; endswith; metadata: former_category MOBILE_MALWARE; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:3; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, signature_severity Critical, created_at 2018_07_25, malware_family iOS_Bahamut, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_22, updated_at 2012_10_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.top) - set"; flow:established,to_server; content:".top|0d 0a|"; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+\.top(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023455; rev:3; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2019_10_07;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|Connectads.com"; distance:1; within:15; metadata: former_category MALWARE; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_15, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId INSERT"; flow:established,to_server; content:"/index.cfm?"; nocase; http_uri; content:"newsId="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006191; classtype:web-application-attack; sid:2006191; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; content:"API-Guide test program"; http_user_agent; depth:22; nocase; endswith; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_28;) alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo VBS Payload Downloaded"; flow:established,to_server; content:"POST"; http_method; content:"&00000111&11"; http_uri; fast_pattern; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; depth:49; http_content_len; byte_test:0,=,0,0,string,dec; metadata: former_category EXPLOIT_KIT; classtype:exploit-kit; sid:2028865; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Spelevo_EK, signature_severity Major, created_at 2019_10_18, malware_family Spelevo_EK, updated_at 2020_03_23;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UNION SELECT"; flow:established,to_server; content:"/display_review.php?"; http_uri; nocase; content:"user_login_cookie="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005812; classtype:web-application-attack; sid:2005812; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"|0d 0a|Cookie|3a|"; http_raw_header; content:"%3D|3b 20|cc2="; distance:0; http_raw_header; content:"%3D|3b 20|cc3="; http_raw_header; content:"%3D|3b 20|cc4="; http_raw_header; content:"|20|Java/"; http_raw_header; metadata: former_category EXPLOIT_KIT; classtype:exploit-kit; sid:2013695; rev:4; metadata:created_at 2011_09_27, updated_at 2011_09_27;) alert tcp [67.174.243.193,67.183.149.202,67.183.239.1,67.185.177.181,67.198.37.16,67.241.69.119,67.248.134.161,67.249.138.113,67.4.195.22,67.71.32.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 646"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522645; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; metadata: former_category ADWARE_PUP; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:pup-activity; sid:2003345; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:" $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/connhost.exe"; http_uri; nocase; fast_pattern; pcre:"/\/connhost\.exe$/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:3; metadata:created_at 2013_11_06, updated_at 2019_10_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/?id="; http_uri; depth:5; content:"&pt="; http_uri; distance:0; within:20; fast_pattern; pcre:"/^[a-f0-9]{32}$/Vi"; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Pi"; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:command-and-control; sid:2025598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Dropper, signature_severity Major, created_at 2018_06_21, malware_family Autoit_NU, performance_impact Low, updated_at 2018_06_21;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/59056; reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; reference:url,doc.emergingthreats.net/2010260; classtype:web-application-attack; sid:2010260; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qasar Variant Domain (datapeople-cn .com in DNS Lookup)"; dns_query; content:"datapeople-cn.com"; endswith; metadata: former_category TROJAN; reference:url,twitter.com/blu3_team/status/947858470816112640; classtype:trojan-activity; sid:2025179; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Patchwork, signature_severity Major, created_at 2018_01_02, malware_family Qasar_Rat, performance_impact Moderate, updated_at 2019_09_28;) alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; classtype:policy-violation; sid:2009969; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_09_06, performance_impact Low, updated_at 2016_09_06;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"sale_type="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007518; classtype:web-application-attack; sid:2007518; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?Pa[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:exploit-kit; sid:2020698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_03_16, updated_at 2016_07_01;) alert tcp [189.190.207.117,189.213.152.10,189.4.104.111,189.60.203.169,190.100.47.91,190.102.235.94,190.10.8.152,190.10.8.166,190.10.8.50,190.10.8.68] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 322"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522321; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; dns_query; content:".torpaycash.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 8292 (msg:"ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003037; classtype:not-suspicious; sid:2003037; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_04_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_30, updated_at 2019_10_07;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/EvilOSX Client Receiving Commands"; flow:established,to_client; content:"404"; http_stat_code; file_data; content:"DEBUG"; depth:9; fast_pattern; metadata: former_category TROJAN; reference:url,github.com/Marten4n6/EvilOSX/; classtype:trojan-activity; sid:2027066; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_03_07, malware_family EvilOSX, performance_impact Moderate, updated_at 2019_03_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_user_agent; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103246; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_07, updated_at 2013_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:social-engineering; sid:2024583; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Internet, tag Phishing, signature_severity Minor, created_at 2017_08_16, updated_at 2017_12_29;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - prinimalka.py"; flow:established,to_server; content:"/prinimalka.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009405; classtype:trojan-activity; sid:2009405; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf\.[a-z]{2,5}\x0d\x0a/HRi"; metadata: former_category TROJAN; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Critical, created_at 2017_05_16, malware_family wannacry, performance_impact Low, updated_at 2019_10_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; content:"GET"; http_method; content:"whatismyip."; http_host; metadata: former_category POLICY; classtype:attempted-recon; sid:2008986; rev:7; metadata:created_at 2010_07_30, updated_at 2018_07_31;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (cacheupdate14.com)"; dns_query; content:"cacheupdate14.com"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022150; rev:4; metadata:created_at 2015_11_25, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE"; flow:established,to_server; content:"/admin_hacks_list.php?"; http_uri; nocase; content:"hack_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006972; classtype:web-application-attack; sid:2006972; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2019811; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_25, updated_at 2016_07_01;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns_query; content:"ssl-login.online"; nocase; endswith; metadata: former_category MALWARE; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_06_27, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email SELECT"; flow:established,to_server; content:"/add2.php?"; http_uri; nocase; content:"email="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004505; classtype:web-application-attack; sid:2004505; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/bexfront.php"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_02_24, updated_at 2019_09_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.A checkin"; flow:to_server,established; content:"get/?ver="; http_uri; content:"&aid="; http_uri; distance:0; content:"&hid="; http_uri; distance:0; content:"&rid="; http_uri; distance:0; content:"&data="; http_uri; distance:0; content:"&report="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/U"; metadata: former_category ADWARE_PUP; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:pup-activity; sid:2018867; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; content:"GET"; http_method; content:".php?code="; http_uri; content:"&file="; http_uri; distance:0; content:"&size="; http_uri; distance:0; content:"&sys="; http_uri; distance:0; content:"&VERSION="; http_uri; distance:0; content:"&status=begin"; http_uri; distance:0; fast_pattern; endswith; content:"Client"; http_user_agent; depth:6; endswith; metadata: former_category TROJAN; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, deployment Perimeter, tag Multi_Platform, signature_severity Major, created_at 2018_12_13, malware_family Satan, performance_impact Low, updated_at 2019_09_28;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; metadata: former_category EXPLOIT_KIT; classtype:exploit-kit; sid:2016408; rev:14; metadata:created_at 2013_02_12, updated_at 2013_02_12;) alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup)"; dns_query; content:"fasebock.info"; endswith; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026307; rev:3; metadata:created_at 2018_09_20, updated_at 2019_09_28;) # alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Attempt"; flow:established,to_client; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; nocase; content:"ControlID"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15B168B2-AD3C-11D1-A8D8-00A0C9200E61/si"; reference:url,doc.emergingthreats.net/2011129; classtype:attempted-user; sid:2011129; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_27, updated_at 2012_12_27;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2017_01_11, updated_at 2017_01_11;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021826; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID DELETE"; flow:established,to_server; content:"/index.asp?"; http_uri; nocase; content:"ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006648; classtype:web-application-attack; sid:2006648; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:exploit-kit; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_02_20, updated_at 2016_07_01;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"a=HT&u="; http_uri; fast_pattern; content:"&clickid="; http_uri; distance:0; content:"&browser="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&device="; http_uri; distance:0; content:"&model="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; metadata: former_category WEB_CLIENT; classtype:social-engineering; sid:2021295; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns_query; content:"marketplace-magento.com"; nocase; endswith; classtype:domain-c2; sid:2029074; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_11_27, updated_at 2019_11_27;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UNION SELECT"; flow:established,to_server; content:"/forum.php?"; nocase; http_uri; content:"c="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004165; classtype:web-application-attack; sid:2004165; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; content:".ca.tf|0D 0A|"; http_header; classtype:bad-unknown; sid:2013832; rev:4; metadata:created_at 2011_11_04, updated_at 2011_11_04;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, updated_at 2014_06_13;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/gnupg/json.php?"; http_uri; nocase; content:"task=send_key"; http_uri; nocase; content:"fingerprint="; http_uri; nocase; pcre:"/fingerprint=\w*\;/Ui"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:3; metadata:created_at 2010_09_27, updated_at 2019_09_26;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop edc User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=edc|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018116; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 4"; flow:established,to_server; content:"DELETE"; http_method; content:"/_config/query_servers/cmd"; http_uri; fast_pattern; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2017-12636; classtype:attempted-user; sid:2025743; rev:2; metadata:attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2018_06_25, updated_at 2018_07_18;) # alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:2101971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET ADWARE_PUP Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:pup-activity; sid:2008066; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_28, malware_family Gozi, performance_impact Low, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UNION SELECT"; flow:established,to_server; content:"/user.php?"; http_uri; nocase; content:"newuserType="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006052; classtype:web-application-attack; sid:2006052; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 a9|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; metadata: former_category MALWARE; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"cb98a24ee4b9134448ffb5714fd870ac"; metadata: former_category JA3; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028766; rev:2; metadata:created_at 2019_10_14, updated_at 2019_10_29;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid SELECT"; flow:established,to_server; content:"/simplog/index.php?"; http_uri; nocase; content:"blogid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005633; classtype:web-application-attack; sid:2005633; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 1"; flow:established,to_server; content:"?gname="; http_uri; content:"&pid="; http_uri; content:"&m="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category ADWARE_PUP; reference:url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9; classtype:pup-activity; sid:2013556; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_09, updated_at 2017_09_21;) alert tcp [51.158.166.230,51.158.170.28,51.158.170.79,51.158.171.35,51.158.173.137,51.158.178.34,51.158.180.246,51.158.187.110,51.158.191.0,51.158.22.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 595"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522594; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) # alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; metadata: former_category CURRENT_EVENTS; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017536; rev:4; metadata:created_at 2013_09_30, updated_at 2013_09_30;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns_query; content:"reservecdn.pro"; nocase; endswith; metadata: former_category MALWARE; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027467; rev:2; metadata:deployment Perimeter, tag FIN8, signature_severity Major, created_at 2019_06_13, performance_impact Low, updated_at 2019_09_28;) # alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010209; classtype:attempted-user; sid:2010209; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeLoader Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; nocase; content:" MSIE "; http_user_agent; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http_header; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; http.request_body; pcre:"/^\d+$/"; metadata: former_category MALWARE; classtype:command-and-control; sid:2017261; rev:6; metadata:created_at 2013_07_31, updated_at 2020_03_09;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;) # alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad"; flow:established,to_server; content:"/gate.php"; nocase; http_uri; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W"; metadata: former_category TROJAN; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2016_07_26;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; content:"/edit.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007211; classtype:web-application-attack; sid:2007211; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; metadata: former_category MALWARE; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020567; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UNION SELECT"; flow:established,to_server; content:"/bb-includes/formatting-functions.php?"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005325; classtype:web-application-attack; sid:2005325; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1; metadata:created_at 2012_07_04, updated_at 2012_07_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; content:"Content-Length|3a 20|11|0d 0a|"; http_header; file_data; content:"no commands"; fast_pattern; flowbits:isset,ET.Anunanak.HTTP.1; metadata: former_category MALWARE; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020028; rev:3; metadata:created_at 2014_12_22, updated_at 2019_10_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.world Domain"; flow:established,to_server; content:".world"; fast_pattern; http_host; endswith; metadata: former_category HUNTING; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027879; rev:3; metadata:deployment Perimeter, signature_severity Minor, created_at 2019_08_13, performance_impact Low, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE"; flow:established,to_server; content:"/connexion.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004778; classtype:web-application-attack; sid:2004778; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/header.php?"; nocase; http_uri; content:"row[titledesc]="; nocase; http_uri; pcre:"/row\[titledesc\]\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012573; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_03_25, updated_at 2016_07_01;) alert http any any -> any any (msg:"SURICATA HTTP multipart no filedata"; flow:established,to_server; app-layer-event:http.multipart_no_filedata; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:2221023; rev:1;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; metadata: former_category CURRENT_EVENTS; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;) alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1ldG"; distance:0; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_02_19, malware_family DNSlivery, updated_at 2019_02_19;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; content:"netsh"; nocase; fast_pattern; http_client_body; content:"firewall"; within:15; http_client_body; classtype:bad-unknown; sid:2016681; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"datalink.one"; depth:12; nocase; endswith; fast_pattern; metadata: former_category TROJAN; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024476; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_18, performance_impact Moderate, updated_at 2019_09_28;) # alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; content:"SetExternalPlayer"; nocase; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; reference:url,doc.emergingthreats.net/2009226; classtype:web-application-attack; sid:2009226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; metadata: former_category CURRENT_EVENTS; classtype:credential-theft; sid:2024185; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_04_07, updated_at 2017_04_07;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/modules/tour/adminpart/addtour.php?"; http_uri; nocase; content:"module="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008855; classtype:web-application-attack; sid:2008855; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"Meet Google Drive"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:social-engineering; sid:2022035; rev:2; metadata:created_at 2015_11_04, updated_at 2017_08_17;) alert ip [134.127.0.0/16,134.172.0.0/16,136.230.0.0/16,137.19.0.0/16,137.31.0.0/16,137.33.0.0/16,137.55.0.0/16,137.72.0.0/16,137.76.0.0/16,137.105.0.0/16,137.114.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.120.0/22,138.94.144.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2751; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2020_03_22;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_joomtouch"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"<email_accounts_list>"; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; metadata: former_category MALWARE; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:command-and-control; sid:2019704; rev:3; metadata:created_at 2014_11_12, updated_at 2019_10_07;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns_query; content:".dnslookup.services"; nocase; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029347; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_01_31, malware_family Winnti, updated_at 2020_01_31;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT"; flow:established,to_server; content:"/search.php?"; nocase; http_uri; content:"salary="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004374; classtype:web-application-attack; sid:2004374; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"Win32"; nocase; depth:5; http_user_agent; classtype:trojan-activity; sid:2012249; rev:4; metadata:created_at 2011_02_01, updated_at 2011_02_01;) # alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018696; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_17, updated_at 2016_07_01;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns_query; content:"scsnewstoday.com"; nocase; fast_pattern; endswith; metadata: former_category MALWARE; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026611; rev:3; metadata:attack_target Client_and_Server, deployment Perimeter, tag DragonFly, signature_severity Major, created_at 2018_11_15, performance_impact Low, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"jack-wagner.website"; endswith; nocase; metadata: former_category MOBILE_MALWARE; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026200; rev:3; metadata:created_at 2018_09_19, updated_at 2019_09_28;) # alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control ReadMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"ReadMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010998; classtype:attempted-user; sid:2010998; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Popcorn-Time .onion Payment Domain (3hnuhydu4pd247qb)"; dns_query; content:"3hnuhydu4pd247qb"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023589; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_08, malware_family Ransomware, performance_impact Low, updated_at 2019_09_03;) # alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:command-and-control; sid:2008531; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; metadata: former_category CURRENT_EVENTS; classtype:targeted-activity; sid:2021727; rev:2; metadata:created_at 2015_08_28, updated_at 2015_08_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Outgoing_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006517; classtype:web-application-attack; sid:2006517; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Shark Pass Stealer Email Report"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer "; content:"|0d 0a 0d 0a|Codesoft PW Stealer File "; distance:0; content:"filename=|22|"; distance:0; content:".log|22 0d 0a|"; distance:0; within:20; reference:url,doc.emergingthreats.net/2007992; classtype:trojan-activity; sid:2007992; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload - CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?ac="; fast_pattern; content:"&n="; distance:1; within:3; content:"|3a|"; distance:0; content:"|3a|"; distance:0; content:"-bit|29|"; distance:0; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-us"; bsize:5; metadata: former_category MALWARE; classtype:command-and-control; sid:2029039; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_11_21, malware_family MuddyWater, performance_impact Low, updated_at 2019_11_21;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen DELETE"; flow:established,to_server; content:"/tracking/courseLog.php?"; nocase; http_uri; content:"scormcontopen="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004050; classtype:web-application-attack; sid:2004050; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; metadata: former_category MALWARE; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_27, updated_at 2011_09_27;) alert tcp [95.211.136.23,95.211.138.51,95.211.138.7,95.211.147.99,95.211.153.12,95.211.186.80,95.211.189.23,95.211.205.138,95.211.210.72,95.213.150.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 804"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522803; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE hacker87 checkin"; flow:to_server,established; content:"POST"; http_method; content:"/AppEn.php"; fast_pattern; http_uri; content:"parameter="; depth:10; http_client_body; metadata: former_category MALWARE; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:command-and-control; sid:2018420; rev:3; metadata:created_at 2014_04_24, updated_at 2019_10_07;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"POST"; http_method; content:"/CFIDE/administrator/enter.cfm"; http_uri; nocase; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/login"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018001; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"www.ap8898.com"; endswith; nocase; metadata: former_category MALWARE; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025604; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_21, updated_at 2019_09_28;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; metadata: former_category ADWARE_PUP; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:pup-activity; sid:2002767; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp [178.175.148.46,178.20.55.16,178.20.55.18,179.178.74.52,179.182.147.217,179.182.152.46,179.183.161.220,179.183.164.250,179.43.146.230,179.48.251.188] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520037; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:2101672; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Orange Phishing Landing 2018-02-05 (FR)"; flow:established,to_client; file_data; content:"<title"; content:"pour continuer, identifiez-vous"; nocase; within:50; fast_pattern; content:"index_fichiers/authuser"; nocase; distance:0; content:"title=|22|site orange.fr"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:social-engineering; sid:2025313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_05, updated_at 2018_02_05;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; content:"/index.php?option=com_gameserver"; nocase; http_uri; content:"view=gamepanel"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010015; classtype:web-application-attack; sid:2010015; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert pkthdr any any -> any any (msg:"SURICATA ICMPv4 unknown code"; decode-event:icmpv4.unknown_code; classtype:protocol-command-decode; sid:2200025; rev:2;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:exploit-kit; sid:2023195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family SunDown, malware_family RIG, updated_at 2016_09_12;) # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; classtype:web-application-activity; sid:2007652; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:exploit-kit; sid:2020832; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2015_04_02, updated_at 2016_07_01;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"f="; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_08_22;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alunik User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| Alun4ik"; http_header; classtype:trojan-activity; sid:2013377; rev:2; metadata:created_at 2011_08_05, updated_at 2011_08_05;) alert tcp [2a02:c207:3005:0149:0000:0000:0000:0001,2a02:c500:0002:00f0:0000:0000:0000:5492,2a02:c500:0002:0217:0000:0000:0000:e528,2a02:ed06:0000:0000:0000:0000:0000:0222,2a02:f680:0001:1100:0000:0000:0000:0174,2a02:f680:0001:1100:0000:0000:0000:8af2,2a02:ff80:1003:0006:0000:0000:0000:0014,2a03:0f80:ed15:0149:0154:0154:0155:0001,2a03:0f80:ed15:0158:0255:0212:0178:0002,2a03:4000:0001:047e:0000:0000:0000:0443] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 496"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522495; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) # alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) # alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;) alert tcp [185.220.101.64,185.220.101.65,185.220.101.66,185.220.101.67,185.220.101.68,185.220.101.69,185.220.101.7,185.220.101.70,185.220.101.71,185.220.101.72] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522052; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; content:"_GET["; fast_pattern; http_uri; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:3; metadata:created_at 2013_09_10, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_12, updated_at 2013_07_12;) alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; dns_query; content:"p0w3r.gdn"; depth:9; fast_pattern; endswith; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2019_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; classtype:policy-violation; sid:2001808; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_15;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/html2.php?"; http_uri; nocase; content:"page="; http_uri; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009691; classtype:web-application-attack; sid:2009691; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_26;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:2100388; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; metadata: former_category WEB_CLIENT; classtype:social-engineering; sid:2022855; rev:3; metadata:created_at 2016_06_03, updated_at 2016_06_03;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns_query; content:"check.paidprefund.org"; depth:21; nocase; endswith; fast_pattern; metadata: former_category MALWARE; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024330; rev:5; metadata:created_at 2017_05_25, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID INSERT"; flow:established,to_server; content:"/item.asp?"; http_uri; nocase; content:"ItemID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007072; classtype:web-application-attack; sid:2007072; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (vr6g2curb2kcidou)"; dns_query; content:"vr6g2curb2kcidou"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022316; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id SELECT"; flow:established,to_server; content:"/ogretmenkontrol.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005210; classtype:web-application-attack; sid:2005210; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sony Breach Wiper Malware Download"; flow:established,to_server; content:"GET"; http_method; content:"/igfxtpers.exe"; http_uri; fast_pattern; reference:url,logfile.packetninjas.net/related-malware-to-sony-breach; classtype:trojan-activity; sid:2019849; rev:3; metadata:created_at 2014_12_03, updated_at 2019_10_07;) alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns_query; content:"protonmail.sh"; nocase; endswith; metadata: former_category TROJAN; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027772; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_08_01, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id SELECT"; flow:established,to_server; content:"/urunbak.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004647; classtype:web-application-attack; sid:2004647; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; dns_query; content:".xxx"; nocase; endswith; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:3; metadata:created_at 2011_03_21, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE"; flow:established,to_server; content:"/uye_giris_islem.asp?"; nocase; http_uri; content:"sifre="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006806; classtype:web-application-attack; sid:2006806; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS User-Agent"; flow:established,to_server; content:"Decebalv"; depth:8; http_user_agent; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019161; rev:3; metadata:created_at 2014_09_11, updated_at 2014_09_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - CnC Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:>14; content:"/board.php?v=a"; http_uri; fast_pattern; endswith; http_header_names; content:!"Referer"; metadata: former_category MALWARE; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026764; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Operation_Cobra_Venom, signature_severity Major, created_at 2019_01_08, performance_impact Low, updated_at 2019_09_28;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound"; flow:established,to_server; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012151; rev:1; metadata:created_at 2011_01_06, updated_at 2011_01_06;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Checkin 2"; flow:to_server,established; content:"POST"; http_method; urilen:20; content:"/forum/viewtopic.php"; http_uri; endswith; content:"Windows 98)"; http_user_agent; endswith; fast_pattern; http_content_type; content:"application/octet-stream"; metadata: former_category MALWARE; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:command-and-control; sid:2016550; rev:7; metadata:created_at 2013_01_11, updated_at 2019_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware End Activity"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|End"; distance:0; http_user_agent; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; http_uri; metadata: former_category ADWARE_PUP; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:pup-activity; sid:2001500; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Newzbin Usenet Reader License Check"; flow:established,to_server; content:"/internal/"; http_uri; content:"prodID=nl&licID="; http_uri; content:"&prodVer="; http_uri; content:"Host|3A| www.newsleecher.com"; http_header; reference:url,doc.emergingthreats.net/2009095; classtype:policy-violation; sid:2009095; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; metadata: former_category CURRENT_EVENTS; classtype:exploit-kit; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit_Terror, signature_severity Major, created_at 2017_03_14, malware_family Exploit_Kit_Terror, updated_at 2017_03_14;) # alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; reference:url,doc.emergingthreats.net/2008812; classtype:web-application-attack; sid:2008812; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt"; flow:established,to_server; content:"GET"; http_method; content:"option="; http_uri; nocase; content:"view="; http_uri; nocase; content:"list[select]="; http_uri; nocase; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/Ui"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; classtype:trojan-activity; sid:2021992; rev:2; metadata:created_at 2015_10_22, updated_at 2015_10_22;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; content:"/navigacija.php?"; nocase; http_uri; content:"IDMeniGlavni="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup scanmalware.info"; dns_query; content:"scanmalware.info"; depth:16; fast_pattern; nocase; endswith; metadata: former_category MALWARE; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019573; rev:5; metadata:created_at 2014_10_28, updated_at 2019_09_28;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.NZK Variant"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info=ID:__"; content:"__Key1:__"; distance:0; content:"__Key2:__"; distance:0; metadata: former_category MALWARE; reference:md5,c7bbff934bd89ad39e98e2746c6e8af2; reference:url,twitter.com/GrujaRS/status/1214680560834162690; classtype:command-and-control; sid:2029240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_01_08, performance_impact Low, updated_at 2020_01_08;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII"; flow:established,to_server; content:"/gallery.asp?"; nocase; http_uri; content:"categoryid="; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004323; classtype:web-application-attack; sid:2004323; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; metadata: former_category MALWARE; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014166; rev:2; metadata:created_at 2012_01_27, updated_at 2012_01_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/evt/?nexcb="; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/U"; metadata: former_category ADWARE_PUP; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:pup-activity; sid:2018565; rev:5; metadata:created_at 2014_06_16, updated_at 2019_10_07;) # alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail"; flow:established,to_server; content:"/newsletter/create/index.php?"; nocase; http_uri; content:"form[mail]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003912; classtype:web-application-attack; sid:2003912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/catalogo.php?"; http_uri; nocase; content:"id_livello="; http_uri; nocase; pcre:"/id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_27, updated_at 2019_09_26;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; metadata: former_category MALWARE; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; metadata: former_category PHISHING; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_08_30, updated_at 2018_08_30;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; metadata: former_category ADWARE_PUP; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:pup-activity; sid:2000920; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; classtype:policy-violation; sid:2010819; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:exploit-kit; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Redirector, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; http_uri; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008232; classtype:command-and-control; sid:2008232; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; content:".htaccess"; nocase; http_uri; classtype:attempted-recon; sid:2101129; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/2011087; classtype:pup-activity; sid:2011087; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE"; flow:established,to_server; content:"/bt-trackback.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006338; classtype:web-application-attack; sid:2006338; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) # alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:pup-activity; sid:2007861; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) # alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; dns_query; content:"cld7vqwcvn2bii67"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:3; metadata:created_at 2015_04_30, updated_at 2019_09_03;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns_query; content:"pegasusco.net"; nocase; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028900; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_10_24, updated_at 2019_10_24;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id SELECT"; flow:established,to_server; content:"/display_review.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005807; classtype:web-application-attack; sid:2005807; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) alert tcp [62.12.118.116,62.133.157.139,62.141.36.150,62.141.38.69,62.141.39.160,62.141.39.8,62.141.48.175,62.141.48.177,62.141.51.90,62.141.52.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522632; rev:4013; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2020_03_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2017_10_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/comments/json.php?"; nocase; http_uri; content:"task=comment"; nocase; http_uri; content:"comment_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011263; classtype:web-application-attack; sid:2011263; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital checkin"; flow:established,to_server; content:".php?subid="; http_uri; content:"&os="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; metadata: former_category MALWARE; classtype:command-and-control; sid:2017710; rev:3; metadata:created_at 2013_11_13, updated_at 2013_11_13;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"aclassigned.info"; endswith; metadata: former_category ADWARE_PUP; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025489; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2019_09_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/debugger/debug_php.php?"; http_uri; nocase; content:"_GET[filename]="; http_uri; nocase; content:"../"; depth:200; reference:url,osvdb.org/show/osvdb/57680; reference:url,doc.emergingthreats.net/2010255; classtype:web-application-attack; sid:2010255; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_26;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account"; fast_pattern; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:social-engineering; sid:2025214; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_18, updated_at 2018_01_18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:cve,2003-0533; classtype:misc-activity; sid:2000033; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/doku.php?"; nocase; http_uri; content:"config_cascade[main][default][]="; nocase; http_uri; content:"../"; reference:bugtraq,35095; reference:url,milw0rm.com/exploits/8781; reference:url,doc.emergingthreats.net/2009876; classtype:web-application-attack; sid:2009876; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, deployment Datacenter, tag Local_File_Inclusion, signature_severity Major, created_at 2010_07_30, updated_at 2019_09_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"