[8359] 3/2/2011 -- 14:38:58 - (suricata.c:402) (main) -- This is Suricata version 1.0.0 [8359] 3/2/2011 -- 14:38:58 - (util-cpu.c:167) (UtilCpuPrintSummary) -- CPUs Summary: [8359] 3/2/2011 -- 14:38:58 - (util-cpu.c:169) (UtilCpuPrintSummary) -- CPUs online: 1 [8359] 3/2/2011 -- 14:38:58 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs configured 1 [8359] 3/2/2011 -- 14:38:58 - (output.c:60) (OutputRegisterModule) -- Output module "AlertFastLog" registered. [8359] 3/2/2011 -- 14:38:58 - (output.c:60) (OutputRegisterModule) -- Output module "AlertDebugLog" registered. [8359] 3/2/2011 -- 14:38:58 - (output.c:60) (OutputRegisterModule) -- Output module "AlertUnifiedLog" registered. [8359] 3/2/2011 -- 14:38:58 - (output.c:60) (OutputRegisterModule) -- Output module "AlertUnifiedAlert" registered. [8359] 3/2/2011 -- 14:38:58 - (output.c:60) (OutputRegisterModule) -- Output module "Unified2Alert" registered. [8359] 3/2/2011 -- 14:38:58 - (output.c:60) (OutputRegisterModule) -- Output module "LogHttpLog" registered. [8359] 3/2/2011 -- 14:38:58 - (suricata.c:985) (main) -- preallocated 50 packets. Total memory 3760800 [8359] 3/2/2011 -- 14:38:58 - (flow.c:746) (FlowInitConfig) -- initializing flow engine... [8359] 3/2/2011 -- 14:38:58 - (flow.c:833) (FlowInitConfig) -- allocated 524288 bytes of memory for the flow hash... 65536 buckets of size 8 [8359] 3/2/2011 -- 14:38:58 - (flow.c:852) (FlowInitConfig) -- preallocated 10000 flows of size 192 [8359] 3/2/2011 -- 14:38:58 - (flow.c:854) (FlowInitConfig) -- flow memory usage: 2444288 bytes, maximum: 33554432 [8359] 3/2/2011 -- 14:38:58 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BACKDOOR w32.loosky.gen@mm runtime detection - notification"; flow:to_server,established; content:"/synctl/ping.pl"; fast_pattern; nocase; http_uri; content:"ip="; nocase; http_uri; content:"speed="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/w32looskyl.html; classtype:trojan-activity; sid:6474; rev:5;) [8359] 3/2/2011 -- 14:38:59 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CHAT MSN Messenger web login attempt"; flow:established,to_server; content:"/gateway/gateway.dll"; fast_pattern; nocase; http_uri; content:"Action=open"; nocase; http_uri; content:"messenger.hotmail.com"; nocase; http_uri; metadata:policy security-ips alert, service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:16525; rev:5;) [8359] 3/2/2011 -- 14:38:59 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT HP OpenView CGI parameter buffer overflow attempt"; flow:established,to_server; content:"|2F|OvCgi|2F|"; fast_pattern; nocase; http_uri; isdataat:1024; pcre:"/^\x2FOvCgi\x2F[^\x2E]*?\x2Eexe[^\h]{1024}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26741; reference:cve,2007-6204; reference:cve,2008-0067; classtype:attempted-user; sid:13161; rev:5;) [8359] 3/2/2011 -- 14:38:59 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MISC Microsoft EMF metafile access detected"; flow:to_server,established; content:".emf"; fast_pattern; nocase; http_uri; flowbits:set,emf.request; flowbits:noalert; reference:cve,2008-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-021.mspx; classtype:attempted-user; sid:13678; rev:11;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"P2P Skype client successful install"; flow:to_server,established; content:"/ui/"; http_uri; content:"/installed"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5692; rev:8;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop initial install - installer request"; flow:to_server,established; content:"/installer?"; fast_pattern; nocase; http_uri; content:"action=install"; http_uri; content:"version="; http_uri; content:"id="; http_uri; content:"brand=GGLD"; http_uri; content:"hl="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smiH"; classtype:policy-violation; sid:7859; rev:6;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop search query"; flow:to_server,established; content:"/complete/search?"; fast_pattern; nocase; http_uri; content:"q="; http_uri; content:"output=desktop"; http_uri; content:"sourceid=gd"; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smiH"; classtype:policy-violation; sid:7860; rev:6;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop initial install - firstuse request"; flow:to_server,established; content:"/firstuse?"; fast_pattern; nocase; http_uri; content:"version="; http_uri; content:"id="; http_uri; content:"brand=GGLD"; http_uri; content:"hl="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smiH"; classtype:policy-violation; sid:7858; rev:6;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Chat web client connection"; flow:established,to_server; content:"/talkgadget/popout"; fast_pattern; nocase; http_uri; classtype:policy-violation; sid:12303; rev:7;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Yahoo Messenger web client connection"; flow:established,to_server; content:"/BootStrapper.swf"; fast_pattern; nocase; http_uri; classtype:policy-violation; sid:12305; rev:8;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY AOL Instant Messenger web client connection"; flow:established,to_server; content:"HostCheck.aspx"; fast_pattern; nocase; http_uri; content:"aimexpress.aol.com"; http_uri; pcre:"/Cookie\x3A.*s_sq=aolsnssignin/si"; classtype:policy-violation; sid:12304; rev:6;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Microsoft Messenger web client connection"; flow:established,to_server; content:"mainui.aspx"; fast_pattern; nocase; http_uri; content:"webmessenger"; nocase; classtype:policy-violation; sid:12306; rev:7;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Crystal reports download request"; flow:to_server,established; content:".rpt"; fast_pattern; nocase; http_uri; flowbits:set, rpt.download; flowbits:noalert; classtype:policy-violation; sid:12455; rev:7;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Habbo chat client item information download"; flow:to_server,established; content:"/gamedata/external?id=external_"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13862; rev:5;) [8359] 3/2/2011 -- 14:39:00 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of executable content - x-header"; flow:to_client,established; content:"application/x-msdos-program"; fast_pattern; nocase; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; pcre:"/(\r?\n){2}MZ/sm"; reference:url,www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:16313; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shop at home select installation in progress"; flow:to_server,established; content:"GRInstallCL.asp"; fast_pattern; nocase; http_uri; content:"E="; nocase; http_uri; content:"MID="; nocase; http_uri; content:"Refer="; nocase; http_uri; content:"WGR="; nocase; http_uri; content:"Prev="; nocase; http_uri; content:"sGUID="; nocase; http_uri; metadata:policy security-ips drop; classtype:misc-activity; sid:5810; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker funbuddyicons runtime detection - request config"; flow:to_server,established; content:"/mySpeedbarCfg2.jsp?"; fast_pattern; nocase; http_uri; content:"s="; nocase; http_uri; content:"p=ZB"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5855; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - redirect"; flow:to_server,established; content:"/cgi-bin/lzRedirect.cgi"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"act="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5745; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shop at home select merchant redirect in progress"; flow:to_server,established; content:"/frameset3.asp"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:misc-activity; sid:5809; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - ads"; flow:to_server,established; content:"/exit/exit.html?act="; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5748; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - get toolbar cfg"; flow:to_server,established; content:"/searchfast/"; nocase; http_uri; content:"/communicatortb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5965; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - add coolsites to ie favorites"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/fav.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Ffav\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5756; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker isearch runtime detection - search in toolbar"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"qry_str="; fast_pattern; nocase; http_uri; content:"src=tbi"; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref="; nocase; http_uri; pcre:"/tid\x3D\x7B([0-9A-z]+\x2D){4}[0-9A-z]+\x7D/smi"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5864; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - download files"; flow:to_server,established; content:"/cgi-bin/MirrorSearch.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| DA"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5904; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware adtools-communicator runtime detection - download self-update"; flow:to_server,established; content:"/clientcontent/StewieGriffin/selfupdate.asp?"; fast_pattern; nocase; http_uri; content:"i="; nocase; http_uri; content:"v="; nocase; http_uri; content:"FI="; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5901; rev:11;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT keylogger pc actmon pro runtime detection - http"; flow:to_server,established; content:"/index_a.htm"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"ActMon"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1989; classtype:successful-recon-limited; sid:5789; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware push toolbar installtime detection - user information collect"; flow:to_server,established; content:"/stats/stats.cgi"; fast_pattern; nocase; http_uri; content:"userFile="; nocase; content:"Host|3A| "; nocase; content:"push.com"; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5984; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - log hits"; flow:to_server,established; content:"/cgi-bin/hits/log.cgi/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5747; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcasturban tuner runtime detection - pass user info to server"; flow:to_server,established; content:"/newsurfer4/"; fast_pattern; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F((register\.asp)|(survey\.asp\?nUserId=))/Ui"; metadata:policy security-ips drop; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5826; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware smartpops runtime detection"; flow:to_server,established; content:"/adserv/GetAd.pl"; fast_pattern; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"rfs="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"uri="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"cv="; nocase; http_uri; content:"mdm="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1910; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074758; classtype:misc-activity; sid:5911; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchfast detection - search request"; flow:to_server,established; content:"/fstdirectory/searchResults.php?searchTerm="; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1694; classtype:misc-activity; sid:5963; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - ie autosearch & search assistant hijack"; flow:to_server,established; content:"/copern.light/redirs_all.htm?"; fast_pattern; nocase; http_uri; content:"pgtarg="; nocase; http_uri; content:"qcat="; nocase; http_uri; content:"qkw="; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5885; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker funbuddyicons runtime detection - mysaconfg request"; flow:to_server,established; content:"/mysaconfg.jsp?"; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"MyWebSearchSearchAssistant"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5857; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker copernic meta toolbar runtime detection - check toolbar & category info"; flow:to_server,established; content:"/software/meta/Update/VersionCheckInfo.ini?c="; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.copernic.com/en/products/meta/; classtype:misc-activity; sid:5884; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT trackware searchinweb detection - click result links"; flow:to_server,established; content:"/click.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5967; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - check toolbar setting"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk_bar.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk_bar\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5757; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker daosearch runtime detection - search hijack"; flow:to_server,established; content:"o.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| daosearch.com"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5860; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware push toolbar runtime detection - toolbar information request"; flow:to_server,established; content:"/searchv2tb0200.php"; fast_pattern; nocase; http_uri; content:"barid="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1786; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079100; classtype:successful-recon-limited; sid:5985; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT trackware searchinweb detection - collect information"; flow:to_server,established; content:"/r?X="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; content:"Host|3A| c.goclick.com"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5969; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker isearch runtime detection - search hijack 2"; flow:to_server,established; content:"/phrase.php?"; fast_pattern; nocase; http_uri; content:"text="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"ref=%user_id"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=732; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082740; classtype:misc-activity; sid:5863; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies saria 1.0 runtime detection - send user information"; flow:to_server,established; content:"op="; nocase; http_uri; content:"vic="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; fast_pattern; nocase; http_uri; content:"pass="; nocase; http_uri; pcre:"/pass=(YAHOO|(XP\s+)?MSN|PALTALK)/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080923; classtype:misc-activity; sid:5883; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker begin2search runtime detection - pass information"; flow:to_server,established; content:"/client/fcgi/stats-post2.fcgi"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| WebConnLib"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5768; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - update"; flow:to_server,established; content:"/cgi-bin/update.dll?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| dapupd"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5906; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - download fastclick pop-under code"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/b.fcgi?"; fast_pattern; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fb\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5758; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - check update"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/chk.fcgi"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fchk\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5755; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - ie search assistant hijack"; flow:to_server,established; content:"/9899/search/results.php?"; fast_pattern; nocase; http_uri; content:"source="; nocase; http_uri; content:"pa="; nocase; http_uri; content:"keywords="; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5887; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware exactsearch runtime detection - switch search engine 2"; flow:to_server,established; content:"/setup.asp?src=exact&query="; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5752; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT trackware searchinweb detection - redirect"; flow:to_server,established; content:"/go.php?c="; nocase; http_uri; content:"Referer|3A| http|3A|//www.searchinweb.com/search.php?said=bar&q="; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1787; classtype:successful-recon-limited; sid:5968; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker surfsidekick runtime detection - hijack ie auto search"; flow:to_server,established; content:"/search.aspx?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"client=SSKD"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5843; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware mydailyhoroscope runtime detection"; flow:to_server,established; content:"/mdh/adcr2.aspx"; fast_pattern; nocase; http_uri; content:"API="; nocase; http_uri; content:"UID="; nocase; http_uri; content:"TZ="; nocase; http_uri; content:"LC="; nocase; http_uri; content:"APL="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1184; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088207; classtype:misc-activity; sid:5798; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler bearshare runtime detection - ads popup"; flow:to_server,established; content:"/w/pop.cgi?"; http_uri; content:"sid="; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"bearshare"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5761; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker raxsearch detection - send search keywords to raxsearch"; flow:to_server,established; content:"/gettotal.m?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"a="; nocase; http_uri; content:"r=rxh"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2485; classtype:misc-activity; sid:5959; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hithopper runtime detection - get xml setting"; flow:to_server,established; content:"/xml/hithopper.xml"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5785; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker begin2search runtime detection - install spyware trafficsector"; flow:to_server,established; content:"/install.php?"; fast_pattern; nocase; http_uri; content:"afid=b2search"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"version="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=924; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088175; classtype:misc-activity; sid:5766; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware active shopper runtime detection - redirect"; flow:to_server,established; content:"/active/redir_sidecheck.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"dom="; nocase; http_uri; content:"Host|3A| data2.activshopper.com"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5924; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker daosearch runtime detection - information request"; flow:to_server,established; content:"/advers/zl/version.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| daosearch.com"; nocase; metadata:policy security-ips drop; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.daosearch.html; classtype:misc-activity; sid:5859; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar runtime detection - request config"; flow:to_server,established; content:"/mySpeedbarConfig.jsp?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"MyWay"; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5800; rev:10;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler bearshare runtime detection - p2p information request"; flow:to_server,established; content:"/gwcache/lynnx.asp?"; fast_pattern; nocase; http_uri; content:"client=BEAR"; nocase; http_uri; content:"version="; nocase; http_uri; content:"urlfile="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060286; classtype:misc-activity; sid:5762; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hithopper runtime detection - redirect"; flow:to_server,established; content:"/redirectf.php3?"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"id="; nocase; http_uri; content:"adid="; nocase; http_uri; content:"search_parsed="; nocase; http_uri; content:"rank="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=746; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079079; classtype:misc-activity; sid:5786; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer pluginaccess runtime detection - get pin"; flow:to_server,established; content:"/getpin.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5791; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; content:"/fs-bin/swat?"; nocase; http_uri; content:"lsnsig="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware exactsearch runtime detection - topsearches"; flow:to_server,established; content:"/search.php?Keywords="; fast_pattern; nocase; http_uri; content:"partner=bar"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5753; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - games center request"; flow:to_server,established; content:"/GamesTab_realarcade.asp"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,reviews.cnet.com/Download_Accelerator_Plus_5_3/4505-3513_7-20035409.html; classtype:misc-activity; sid:5905; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcasturban tuner runtime detection - get gateway"; flow:to_server,established; content:"/newsurfer4/getgateway.asp?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"call="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5827; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker surfsidekick runtime detection - update request"; flow:to_server,established; content:"/rinfo.htm?"; fast_pattern; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"bundle="; nocase; http_uri; content:"client="; nocase; http_uri; content:"guid="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1128; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090721; classtype:misc-activity; sid:5845; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer pluginaccess runtime detection - redirect"; flow:to_server,established; content:"/dlrdir.html?"; fast_pattern; nocase; http_uri; content:"DiallerIP="; nocase; http_uri; content:"dialled="; nocase; http_uri; content:"site="; nocase; http_uri; content:"did="; nocase; http_uri; content:"country="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5793; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler conscorr runtime detection"; flow:to_server,established; content:"/a/Corr.sen?StubName=conscorr"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| Stubby"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1034; classtype:misc-activity; sid:5834; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Dialer pluginaccess runtime detection - active proxy"; flow:to_server,established; content:"/activeproxy.php?"; fast_pattern; nocase; http_uri; content:"did="; nocase; http_uri; content:"pin="; nocase; http_uri; content:"refid="; nocase; http_uri; content:"udata="; nocase; http_uri; content:"resdir="; nocase; http_uri; content:"selectbox="; nocase; http_uri; content:"lmi="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=579; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074883; classtype:misc-activity; sid:5792; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - ie auto search hijack"; flow:to_server,established; content:"/searchcat.jsp?p="; fast_pattern; nocase; http_uri; content:"appid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"type="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5888; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezcybersearch runtime detection - ie auto search hijack"; flow:to_server,established; content:"/ezsb"; nocase; http_uri; content:"/bar_pl/shdoclc.fcgi?"; fast_pattern; nocase; http_uri; pcre:"/\x2Fezsb\d{4}\x2Fbar_pl\x2Fshdoclc\.fcgi/Ui"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=476; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072520; classtype:misc-activity; sid:5754; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adultlinks runtime detection - load url"; flow:to_server,established; content:"/logurl/loadURL/"; fast_pattern; nocase; http_uri; content:".ADbar|3A|X"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=431; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072505; classtype:misc-activity; sid:5746; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware exactsearch runtime detection - switch search engine 1"; flow:to_server,established; content:"/d/search/p/exactad/?Keywords="; fast_pattern; nocase; http_uri; content:"Partners=exactad"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=475; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072519; classtype:misc-activity; sid:5751; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler spyblocs.eblocs detection - register request"; flow:to_server,established; content:"/cart11.html?affl="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eeblocs\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6375; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware aornum/iwon copilot runtime detection - ads"; flow:to_server,established; content:"/ad_string.js?"; fast_pattern; nocase; http_uri; content:"tagad"; nocase; http_uri; content:"site=iwon"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6218; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware excite search bar runtime detection - search"; flow:to_server,established; content:"/tr.js"; nocase; http_uri; content:"a="; nocase; http_uri; content:"r="; nocase; http_uri; content:"site=excite"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.scanspyware.net/info/ExciteSearchBar.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495; classtype:misc-activity; sid:6345; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker coolwebsearch.cameup runtime detection"; flow:to_server,established; content:"svc="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"type="; nocase; http_uri; content:"mode="; nocase; http_uri; content:"art="; nocase; http_uri; content:"acct="; nocase; http_uri; content:"url="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"view="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; classtype:misc-activity; sid:6242; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dotcomtoolbar runtime detection - search in toolbar"; flow:to_server,established; content:"/search.asp?"; nocase; http_uri; content:"group=searchbar-web"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=628; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076986; classtype:misc-activity; sid:6381; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - get update"; flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=getUpdate"; nocase; content:"fileName="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6267; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware excite search bar runtime detection - config"; flow:to_server,established; content:"/speedbar/speedbarcfg.jsp"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Excite"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Excite/smiH"; metadata:policy security-ips drop; reference:url,www.scanspyware.net/info/ExciteSearchBar.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078495; classtype:misc-activity; sid:6344; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker internet optimizer runtime detection - error page hijack"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"js="; nocase; http_uri; content:"e=ERR404"; fast_pattern; nocase; http_uri; content:"u=http"; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=869; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995; classtype:misc-activity; sid:6388; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - track event"; flow:to_server,established; content:"/superbar/event.php"; fast_pattern; nocase; http_uri; content:"event="; nocase; content:"gmt="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6269; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker internet optimizer runtime detection - autosearch hijack"; flow:to_server,established; content:"/query/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=869; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995; classtype:misc-activity; sid:6387; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adblock update detection"; flow:to_server,established; content:"/abho/chkupdate.abs"; fast_pattern; nocase; http_uri; content:"cv="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6351; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware twaintec runtime detection"; flow:to_server,established; content:"/twain/servlet/Twain"; fast_pattern; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"contextpeak="; nocase; http_uri; content:"contextcount="; nocase; http_uri; content:"countrycodein="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=650; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078844; classtype:misc-activity; sid:6201; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ezula toptext runtime detection - redirect"; flow:to_server,established; content:"/IntermixWO/redirect/redirect.asp?"; fast_pattern; nocase; http_uri; content:"DS_ID="; nocase; http_uri; content:"PubName="; nocase; http_uri; content:"UV_ID="; nocase; http_uri; content:"country="; nocase; http_uri; content:"region="; nocase; http_uri; content:"city="; nocase; http_uri; content:"zip="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6249; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - movie"; flow:to_server,established; content:"/superbar/movie.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6264; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler eacceleration downloadreceiver runtime detection - stop-sign ads"; flow:to_server,established; content:"/dlp_def/"; nocase; http_uri; content:"imod="; nocase; http_uri; content:"prod=scanner"; fast_pattern; nocase; http_uri; content:"lng="; nocase; http_uri; content:"geo="; nocase; http_uri; content:"ftid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"ui="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=398; classtype:misc-activity; sid:6367; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Snoopware zenosearch runtime detection"; flow:to_server,established; content:"/engine"; fast_pattern; nocase; http_uri; content:"site="; nocase; http_uri; content:"page="; nocase; http_uri; content:"space="; nocase; http_uri; content:"size="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"domain="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FZENO%2EA; classtype:successful-recon-limited; sid:6348; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware 180Search assistant runtime detection - tracked event URL"; flow:to_server,established; content:"/trackedevent.aspx?"; fast_pattern; nocase; http_uri; content:"eid="; nocase; http_uri; content:"mt="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"basename="; nocase; http_uri; content:"time="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=507; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090677; classtype:misc-activity; sid:6183; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware esyndicate runtime detection - ads popup"; flow:to_server,established; content:"/content/"; fast_pattern; nocase; http_uri; flowbits:set,eSyndicate.ads; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:6390; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker coolwebsearch startpage runtime detection"; flow:to_server,established; content:"/2gt.php"; nocase; http_uri; content:"cp="; nocase; http_uri; content:"dn=daosearch.com"; fast_pattern; nocase; http_uri; content:"ckey="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"iphsh="; nocase; http_uri; content:"tm="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=599; classtype:misc-activity; sid:6245; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adbars runtime detection - homepage hijack"; flow:to_server,established; content:"/r/banner_iw_codigo_gtc.php"; fast_pattern; nocase; http_uri; content:"idrotador="; nocase; http_uri; content:"tamano="; nocase; http_uri; content:"iw_alternativo="; nocase; http_uri; content:"www.adbars.com"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1331; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079049; classtype:misc-activity; sid:6378; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware stationripper ad display detection"; flow:to_server,established; content:"/minimall"; nocase; http_uri; content:"w="; nocase; http_uri; content:"h="; nocase; http_uri; content:"client="; nocase; http_uri; content:"noctxt="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"url=http|3A|/www.stationripper.com/Portal/ad.htm"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; metadata:policy security-ips drop; reference:url,stationripper.com; classtype:misc-activity; sid:6347; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware lop runtime detection - pop up ads"; flow:to_server,established; content:"/prod/C2mediapops/pop3.asp?"; fast_pattern; nocase; http_uri; content:"mt="; nocase; http_uri; content:"popid="; nocase; http_uri; content:"User-Agent|3A| TPSystem"; nocase; http_header; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076024; classtype:misc-activity; sid:6240; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - check update"; flow:to_server,established; content:"/superbar/seupdate.php"; fast_pattern; nocase; http_uri; content:"action=checkUpdate"; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6266; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware searchsquire runtime detection - search forward"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"term="; nocase; http_uri; content:"partner=searchsquire"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=584; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094363; classtype:misc-activity; sid:6259; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler wsearch runtime detection - auto update"; flow:to_server,established; content:"/simplesearch/update.asp"; fast_pattern; nocase; http_uri; content:"type="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"ProxyDown"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*ProxyDown/smiH"; metadata:policy security-ips drop; reference:url,www.zhongsou.com; classtype:misc-activity; sid:6354; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware stationripper update detection"; flow:to_server,established; content:"/version/stationripper-getver"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,stationripper.com; classtype:misc-activity; sid:6346; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sidefind runtime detection - cookie"; flow:to_server,established; content:"/javascripts/common.js"; fast_pattern; nocase; http_uri; content:"Cookie|3A| "; nocase; http_header; content:"origin=sidefind"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1147; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088285; classtype:misc-activity; sid:6280; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler farmmext installtime/update request"; flow:to_server,established; content:"/a/Aid.sen?StubName=farmmext"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| Stubby"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6202; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - collect information"; flow:to_server,established; content:"/adi/fandango.dart/theaterselectionpage|3B|"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6263; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ezula toptext runtime detection - popup"; flow:to_server,established; content:"/TopText/pop-popup.html"; fast_pattern; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6248; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker 7fasst runtime detection - search"; flow:to_server,established; content:"/searchweb.aspx?"; fast_pattern; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6214; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ISTBar runtime detection - bar"; flow:to_server,established; content:"/ist/bars/istbar"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:6188; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware aornum/iwon copilot runtime detection - config"; flow:to_server,established; content:"/copilot/copilotcfg.jsp?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"iWon"; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072491; classtype:misc-activity; sid:6216; rev:9;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adblock auto search redirect detection"; flow:to_server,established; content:"/abho/autosrch.abs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"adblock.linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*adblock\x2Elinkz\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6352; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker websearch runtime detection - sitereview"; flow:to_server,established; content:"/sitereview.asmx/GetReview"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"SITE="; nocase; http_uri; content:"TUID="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=769; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933; classtype:misc-activity; sid:6283; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware flashtrack media/spoton runtime detection - pop up ads"; flow:to_server,established; content:"/js/jsnew2.php?"; fast_pattern; nocase; http_uri; content:"grp="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"ft_id="; nocase; http_uri; content:"c="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"k="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=477; classtype:misc-activity; sid:6371; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - download exe"; flow:to_server,established; content:"/SUPERBARINSTALL_2.2.1.EXE"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6268; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker girafa toolbar - toolbar update"; flow:to_server,established; content:"/srv/c"; nocase; http_uri; content:"i="; nocase; http_uri; content:"t="; nocase; http_uri; content:"v="; nocase; http_uri; content:"s="; nocase; http_uri; content:"rnd="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"GirafaClient"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*GirafaClient/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1135; classtype:misc-activity; sid:6376; rev:5;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ezula toptext runtime detection - help redirect"; flow:to_server,established; content:"/IntermixWO/Redirect/HelpRedirect.asp?"; fast_pattern; nocase; http_uri; content:"var="; nocase; http_uri; content:"Host|3A| www.ezula.com"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072551; classtype:misc-activity; sid:6247; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler farmmext runtime detection - track activity"; flow:to_server,established; content:"/imp/servlet/ImpServe?"; fast_pattern; nocase; http_uri; content:"urlContext="; nocase; http_uri; content:"domainContext="; nocase; http_uri; content:"distID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; content:"country="; nocase; http_uri; content:"transponderID="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6204; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware overpro runtime detection"; flow:to_server,established; content:"/cmapp/zx-popup.php?"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"m="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"Host|3A| newads1.com"; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=757; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090731; classtype:misc-activity; sid:6260; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ISTBar runtime detection - scripts"; flow:to_server,established; content:"/ist/scripts/"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:6187; rev:8;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware esyndicate runtime detection - ads popup"; flow:to_server,established; flowbits:isset,eSyndicate.ads; content:"/ad/zadframe.esyn"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"aw="; nocase; http_uri; content:"ah="; nocase; http_uri; content:"dt="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1759; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; classtype:misc-activity; sid:6391; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker websearch runtime detection - webstat"; flow:to_server,established; content:"/WebStat.asmx/GetXML2"; fast_pattern; nocase; http_uri; content:"sDate="; nocase; http_uri; content:"sModule="; nocase; http_uri; content:"sCID="; nocase; http_uri; content:"sIP="; nocase; http_uri; content:"sURL="; nocase; http_uri; content:"sReferrer="; nocase; http_uri; content:"sBT="; nocase; http_uri; content:"sAgent="; nocase; http_uri; content:"sName="; nocase; http_uri; content:"sAction="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=769; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074933; classtype:misc-activity; sid:6284; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gigatech superbar runtime detection - self update - engine"; flow:to_server,established; content:"/superbar/engine.php"; fast_pattern; nocase; http_uri; content:"requests="; nocase; content:"engine="; nocase; content:"guid="; nocase; content:"camp="; nocase; content:"build="; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=500; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075466; classtype:misc-activity; sid:6265; rev:6;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker 7fasst runtime detection - track"; flow:to_server,established; content:"/data/track.aspx?"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"userid="; nocase; http_uri; content:"affiliateid="; nocase; http_uri; content:"theurl="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=419; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072502; classtype:misc-activity; sid:6215; rev:7;) [8359] 3/2/2011 -- 14:39:01 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adblock ie search assistant redirect detection"; flow:to_server,established; content:"/iesearch.php"; fast_pattern; nocase; http_uri; content:"term="; nocase; http_uri; content:"Submit=Search"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"linkz.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*linkz\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,adblock.linkz.com/Home.php; reference:url,www.spywareguide.com/product_show.php?id=48; classtype:misc-activity; sid:6353; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker troj_spywad.x runtime detection"; flow:to_server,established; content:"/trial.php"; fast_pattern; nocase; http_uri; content:"rest="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"a="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"httphost"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*httphost/smiH"; metadata:policy security-ips drop; reference:url,www.sophos.com/virusinfo/analyses/trojspywadi.html; classtype:misc-activity; sid:6495; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler Backdoor-BAC.gen.e runtime detection - notification"; flow:to_server,established; content:"/bsrv.php"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"socksport="; fast_pattern; nocase; http_uri; content:"httpport="; nocase; http_uri; metadata:policy security-ips drop; reference:url,vil.mcafeesecurity.com/vil/content/v_138750.htm; classtype:misc-activity; sid:6492; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies alfacleaner runtime detection - update"; flow:to_server,established; content:"/updates/update.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.alfacleaner.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ealfacleaner\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2733; classtype:misc-activity; sid:7123; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Other-Technologies spam maxy runtime detection"; flow:to_server,established; content:"/cgi-bin5/repeaterm2.fcgi"; fast_pattern; nocase; http_uri; content:"n="; nocase; http_uri; content:"lastid="; nocase; http_uri; content:"r="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"adfsgecoiwnf"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*adfsgecoiwnf/smiH"; metadata:policy security-ips drop; reference:url,secunia.com/virus_information/22999/spam-maxy/; reference:url,vil.mcafeesecurity.com/vil/content/v_136735.htm; classtype:misc-activity; sid:7145; rev:8;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool sars notifier runtime detection - cgi notification"; flow:to_server,established; content:"/?action=log"; fast_pattern; nocase; http_uri; content:"port="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7148; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cnsmin 3721 runtime detection - hijacking"; flow:to_server,established; content:"/cns.dll"; nocase; http_uri; content:"coagent="; nocase; http_uri; content:"3721cnsmin"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,doxdesk.com/parasite/CnsMin.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511; classtype:misc-activity; sid:7153; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler generic downloader.g runtime detection - spyware injection"; flow:to_server,established; content:"/newsys/options.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"i-femdom.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*i\-femdom\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,vil.mcafeesecurity.com/vil/content/v_128719.htm; classtype:misc-activity; sid:7051; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dsrch runtime detection - side search redirect"; flow:to_server,established; content:"/sidesearch/sidesearch.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"websearch.drsnsrch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*websearch\x2Edrsnsrch\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080; classtype:misc-activity; sid:7137; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool sars notifier runtime detection - icq notification"; flow:to_server,established; content:"/whitepages/page_me/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; content:"from="; nocase; http_uri; content:"fromemail="; nocase; http_uri; content:"body="; nocase; http_uri; pcre:"/body\=\x7BIP\x3A[^\x7B\r\n]*\x7D\x7BOS\x3A[^\x7B\r\n]*\x7D\x7BSysuptime\x3A[^\x7B\r\n]*\x7D\x7BTrojan\x3A[^\x7B\r\n]*\x7D\x7BPort\x3A[^\x7B\r\n]*\x7D\x7BPassword\x3A[^\x7B\r\n]*\x7D\x7BUser\x3A/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7147; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cnsmin 3721 runtime detection - installation"; flow:to_server,established; content:"/download/CnsMinM.ini"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; metadata:policy security-ips drop; reference:url,doxdesk.com/parasite/CnsMin.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072511; classtype:misc-activity; sid:7152; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shop at home select - merchant redirect in progress"; flow:to_server,established; content:"/frameset.asp?"; fast_pattern; nocase; http_uri; content:"MID="; nocase; http_uri; content:"ruleID="; nocase; http_uri; content:"popupID="; nocase; http_uri; content:"doPopup="; nocase; http_uri; content:"version="; nocase; http_uri; content:"requested="; nocase; http_uri; content:"CustomerID="; nocase; http_uri; content:"owner="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"LastPrefs="; http_uri; content:"GUID="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45307 [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker wowok mp3 bar runtime detection - tracking"; flow:to_server,established; content:"t.php"; nocase; http_uri; content:"sc_project="; fast_pattern; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; pcre:"/u=[^\r\n]*www.wowokay.com/Ui"; metadata:policy security-ips drop; reference:url,www.zdnet.com.au/downloads/0,39024478,39111669s,00.htm; classtype:misc-activity; sid:7127; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool sars notifier runtime detection - php notification"; flow:to_server,established; content:"/?action=post"; fast_pattern; nocase; http_uri; content:"log="; http_uri; pcre:"/log\=\x7BIP\x3A[^\x7B\r\n]*\x7D\x7BOS\x3A[^\x7B\r\n]*\x7D\x7BSysuptime\x3A[^\x7B\r\n]*\x7D\x7BTrojan\x3A[^\x7B\r\n]*\x7D\x7BPort\x3A[^\x7B\r\n]*\x7D\x7BPassword\x3A[^\x7B\r\n]*\x7D\x7BUser\x3A/smi"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7149; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler mediaseek.pl client runtime detection - trickler"; flow:to_server,established; content:"/gs_trickler"; fast_pattern; nocase; http_uri; content:"TRICKLER"; nocase; pcre:"/^TRICKLER\d+=[^\r\n]*MediaSeek*/smi"; metadata:policy security-ips drop; reference:url,www.remove-spyware-now.net/MediaSeek-pl-Client.html; classtype:misc-activity; sid:7530; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware purityscan runtime detection - opt out of interstitial advertising"; flow:to_server,established; content:"/ps/ps_uninstaller.exe"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.purityscan.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Epurityscan\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7561; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware earthlink toolbar runtime detection - ie autosearch hijack"; flow:to_server,established; content:"/sw/ietb/3/0/rd103.html?"; fast_pattern; nocase; http_uri; content:"d=error_earthlink"; nocase; http_uri; content:"q="; nocase; http_uri; metadata:policy security-ips drop; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7520; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool unify runtime detection - cgi notification"; flow:to_server,established; content:"action="; nocase; http_uri; content:"User-Agent|3A| http protocol"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074224; classtype:misc-activity; sid:7540; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware earthlink toolbar runtime detection - track activity"; flow:to_server,established; content:"/track?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"earthlink"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7519; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker starware toolbar runtime detection - update"; flow:to_server,established; content:"/dp/simpleupdate?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*as\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7580; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker clearsearch variant runtime detection - popup"; flow:to_server,established; content:"/popup/popup.php?"; fast_pattern; nocase; http_uri; content:"cat="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"clearsearch.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*clearsearch\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7536; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hxdl runtime detection - hxlogonly user-agent"; flow:to_server,established; content:"ClientID="; nocase; http_uri; content:"ServerTableID="; fast_pattern; nocase; http_uri; content:"ClientData="; nocase; http_uri; content:"AuxData="; nocase; http_uri; content:"ReleaseID="; nocase; http_uri; content:"ClientStats="; nocase; http_uri; content:"StoreID="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"HXLogOnly"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]+HXLogOnly/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7553 [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adshooter.searchforit runtime detection - redirector"; flow:to_server,established; content:"/redirector.html"; fast_pattern; nocase; http_uri; content:"image_id="; nocase; http_uri; content:"advertiser_id="; nocase; http_uri; content:"keyword_id="; nocase; http_uri; content:"bid="; nocase; http_uri; content:"url="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=860; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051; classtype:misc-activity; sid:7566; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adshooter.searchforit runtime detection - search engine"; flow:to_server,established; content:"/searchbar/engine.php"; fast_pattern; nocase; http_uri; content:"cver="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchexpert.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Esearchexpert\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=860; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079051; classtype:misc-activity; sid:7565; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker 2020search runtime detection"; flow:to_server,established; content:"/9894/search/search.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"pop.popuptoast.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*pop\x2Epopuptoast\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=640; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076971; classtype:misc-activity; sid:7543; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker swbar runtime detection"; flow:to_server,established; content:"/toolbar/swbartb0110.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.searchwords.com"; nocase; http_header; pcre:"/^Host\x3A\s+www\x2Esearchwords\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077852; classtype:misc-activity; sid:7590; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware earthlink toolbar runtime detection - search toolbar request 1"; flow:to_server,established; content:"/sw/toolbar/4/2/rd601.html?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; metadata:policy security-ips drop; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7521; rev:6;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker startnow runtime detection"; flow:to_server,established; content:"/ieb/res/topres.xsl"; fast_pattern; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1356; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083036; classtype:misc-activity; sid:7564; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker starware toolbar runtime detection - reference"; flow:to_server,established; content:"/dp/reference?x="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"as.starware.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*as\x2Estarware\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2009; classtype:misc-activity; sid:7578; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker blazefind runtime detection - search bar"; flow:to_server,established; content:"/search_results.php"; fast_pattern; nocase; http_uri; content:"account_id="; nocase; http_uri; content:"search_string="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.blazefind.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]+www\x2Eblazefind\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=724; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079063; classtype:misc-activity; sid:7556; rev:8;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler whenu.weathercast runtime detection - check"; flow:to_server,established; content:"/WthrPrefs"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"whenu.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*whenu\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threat_display.cfm?name=WhenU.WeatherCast&threatid=14106; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074634; classtype:misc-activity; sid:7826; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker navexcel helper runtime detection - search"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"p="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"ts="; nocase; http_uri; content:"Host|3A| www.trustedsearch.com"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:7833; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware whenu.savenow runtime detection"; flow:to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"program=savenow"; fast_pattern; nocase; http_uri; content:"partner="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520; classtype:misc-activity; sid:7825; rev:7;) [8359] 3/2/2011 -- 14:39:02 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker avenuemedia.dyfuca runtime detection - search engine hijack"; flow:to_server,established; content:"/searchresult/"; fast_pattern; nocase; http_uri; content:"lt="; nocase; http_uri; content:"q="; nocase; http_uri; content:"cls="; nocase; http_uri; content:"rid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.yoogee.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eyoogee\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.itsecurity.com/security.htm?s=9473&sid=875854b6006d07f08dae34f1b78a4600; classtype:misc-activity; sid:7843; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler maxsearch runtime detection - advertisement"; flow:to_server,established; content:"/pan/adlogbundle.php"; fast_pattern; nocase; http_uri; content:"bannerid="; nocase; http_uri; content:"zoneid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.adoptim.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Eadoptim\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7852; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler maxsearch runtime detection - ack"; flow:to_server,established; content:"/director/ack.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"actionname="; nocase; http_uri; content:"action="; nocase; http_uri; content:"success="; nocase; http_uri; content:"debug="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7851; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware whenu runtime detection - datachunksgz"; flow:to_server,established; content:"/DataChunksGZ"; fast_pattern; nocase; http_uri; content:"update="; nocase; http_uri; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/product_show.php?id=2485; reference:url,www.spywareguide.com/product_show.php?id=871; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075520; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076030; classtype:misc-activity; sid:7823; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler maxsearch runtime detection - retrieve command"; flow:to_server,established; content:"/director/wtd.php"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"version="; nocase; http_uri; content:"nocache="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.maxifiles.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Emaxifiles\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2248; classtype:misc-activity; sid:7850; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware downloadplus runtime detection"; flow:to_server,established; content:"guid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"update="; nocase; http_uri; content:"brand="; nocase; http_uri; content:"User-Agent|3A| Message Center"; fast_pattern; nocase; http_header; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=532; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076008; classtype:misc-activity; sid:7831; rev:5;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool nettracker runtime detection - report browsing"; flow:to_server,established; content:"/NetTracker/"; fast_pattern; nocase; http_uri; flowbits:set,NetTrack_Spy_ReportBrowsing; flowbits:noalert; metadata:policy security-ips drop; classtype:misc-activity; sid:7834; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware desktopmedia runtime detection - surf monitoring"; flow:to_server,established; content:"/script/judge/judge.html"; fast_pattern; nocase; http_uri; content:"mid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"cojud.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*cojud\x2Edmcast\x2Ecom/smiH"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8354; rev:8;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware desktopmedia runtime detection - auto update"; flow:to_server,established; content:"/script/update.asp"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"ownerversion="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dcww.dmcast.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dcww\x2Edmcast\x2Ecom/smiH"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098156; classtype:misc-activity; sid:8353; rev:8;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware duduaccelerator runtime detection - send userinfo"; flow:to_server,established; content:"/ddd2/report_userinfo.asp"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ddduser.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ddduser\x2Edudu\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8461; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware duduaccelerator runtime detection - trace info downloaded"; flow:to_server,established; content:"/rep/dlinfo.html"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"page="; nocase; http_uri; content:"product="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddrep.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddrep\x2Edudu\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8462; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware u88 runtime detection"; flow:established,to_server; content:"friendlink="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.u88.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eu88\x2Ecn/smiH"; metadata:policy security-ips drop; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Adware.U88&threatid=46383; classtype:misc-activity; sid:9831; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sogou runtime detection - keyword hijack"; flow:established,to_server; content:"/express/sq.jsp"; fast_pattern; nocase; http_uri; content:"query="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sogou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esogou\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098380; classtype:misc-activity; sid:9645; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware purityscan runtime detection - self update"; flow:to_server,established; content:"/query.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; content:"b="; distance:0; nocase; content:"vt="; distance:0; nocase; content:"c="; distance:0; nocase; content:"os="; distance:0; nocase; content:"lang="; distance:0; nocase; content:"pl="; distance:0; nocase; content:"z="; distance:0; nocase; metadata:policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7560; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker bazookabar runtime detection"; flow:to_server,established; content:"/updates/checkversion.php"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.myarmory.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emyarmory\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073886; classtype:misc-activity; sid:10437; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware admedia runtime detection"; flow:to_server,established; content:"/hzyt/client/procpost.aspx"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ccnnlc.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eccnnlc\x2Ecom/smiH"; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098012; classtype:successful-recon-limited; sid:10435; rev:7;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler iowa webdownloader - icq notification"; flow:to_server,established; content:"/wwp/msg/1,,,00.html"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"iowA"; nocase; http_uri; content:"WebDloader"; nocase; http_uri; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59689; classtype:misc-activity; sid:11310; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ez-greets toolbar runtime detection"; flow:to_server,established; content:"/toolbar/ezg_serverside.xml"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ez-greets.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eez-greets\x2Ecom/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Greets%20Toolbar&threatid=47475; classtype:misc-activity; sid:12050; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware pprich runtime detection - version check"; flow:to_server,established; content:"/NewVerInfo.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"down.pprich.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*down\x2Epprich\x2Ecom/smiH"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100047; classtype:misc-activity; sid:12120; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker lookquick runtime detection - hijack ie"; flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.lookquick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elookquick\x2Ecom/smiH"; reference:url,www.spywareguide.com/product_show.php?id=1810; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050; classtype:misc-activity; sid:12123; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker lookquick runtime detection - monitor and collect user info"; flow:to_server,established; content:"/r.look?plq="; fast_pattern; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=1810; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079050; classtype:misc-activity; sid:12124; rev:5;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware lookster toolbar runtime detection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"client="; nocase; http_uri; content:"dt="; nocase; http_uri; content:"lmt="; nocase; http_uri; content:"format="; nocase; http_uri; content:"output="; nocase; http_uri; content:"correlator="; nocase; http_uri; content:"url=http"; nocase; http_uri; content:"www.lookster.net"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12127; rev:5;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware lookster toolbar runtime detection - collect user information"; flow:to_server,established; content:"/toolbar/googlerank/get_googlerank.php"; fast_pattern; nocase; http_uri; content:"URL="; nocase; http_uri; content:"act="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453105797; classtype:successful-recon-limited; sid:12126; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cnnic update runtime detection"; flow:to_server,established; content:"/cn.dll?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"met="; nocase; http_uri; content:"charset="; nocase; http_uri; content:"name="; nocase; http_uri; reference:url,www.econsultant.com/spyware-database/c/cnnic-update.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097703; classtype:misc-activity; sid:12140; rev:5;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool hippynotify 2.0 runtime detection"; flow:to_server,established; content:"/wwp/msg/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"Uin="; nocase; http_uri; content:"Name="; nocase; http_uri; content:"Send=yes"; nocase; http_uri; pcre:"/Uin=\d+\x26Name=.*?IP-.*?USER-.*?TROJAN-.*?PORT-.*?PASSWORD-.*?OS-.*?WEBCAM-/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078296; classtype:misc-activity; sid:12230; rev:6;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware errorsafe runtime detection"; flow:to_server,established; content:"/pages/scanner/order.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"affid="; nocase; http_uri; content:"nid="; nocase; http_uri; content:"err="; nocase; http_uri; reference:url,www.spywareremove.com/removeErrorSafe.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-012017-0346-99; classtype:misc-activity; sid:12232; rev:5;) [8359] 3/2/2011 -- 14:39:03 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware snap ultrasearch/desktop toolbar runtime detection - search"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"source=ultrasearch136"; fast_pattern; nocase; http_uri; content:"campaign=snap"; nocase; http_uri; reference:url,www.spynomore.com/toolbar-snap-ultrasearch.htm; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094831; classtype:successful-recon-limited; sid:12227; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware zango2007 toolbar runtime detection"; flow:established,to_server; content:"/smartoffers/SmartOffers.aspx"; fast_pattern; nocase; http_uri; content:"HBHintSVC="; nocase; http_uri; content:"SG="; nocase; http_uri; content:"COUNTRY="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"partner=zango"; nocase; http_uri; reference:url,www.spywareguide.com/spydet_2298_zango_toolbar.html; classtype:misc-activity; sid:12225; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker scn toolbar runtime detection - ebrss request"; flow:to_server,established; content:"/ebrss.aspx?"; nocase; http_uri; content:"eb_ct_id="; nocase; http_uri; content:"eb_rss_index="; fast_pattern; nocase; http_uri; content:"eb_preview="; nocase; http_uri; content:"eb_color="; nocase; http_uri; content:"eb_forecolor="; nocase; http_uri; content:"eb_speed="; nocase; http_uri; content:"eb_random="; nocase; http_uri; reference:url,www.spywareguide.com/spydet_1830_scn_toolbar.html; classtype:misc-activity; sid:12287; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker morpheus toolbar runtime detection - hijack/search"; flow:to_server,established; content:"/jsp/AJmain.jsp?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"ptnrs="; nocase; http_uri; content:"PG="; nocase; http_uri; content:"SEC="; nocase; http_uri; content:"searchfor="; nocase; http_uri; pcre:"/st=(kwd|dns)/Ui"; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12292; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker newdotnet quick! search runtime detection"; flow:to_server,established; content:"/apps/eps/eps.cgi?"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"dp_lp="; nocase; http_uri; content:"dp_p4pid="; nocase; http_uri; content:"dp_format="; nocase; http_uri; content:"s="; nocase; http_uri; content:"nnreq="; nocase; http_uri; content:"prt="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-102018-0405-99; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090680; classtype:misc-activity; sid:12290; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker morpheus toolbar runtime detection - get cfg info"; flow:to_server,established; content:"/ms162cfg.jsp?"; fast_pattern; nocase; http_uri; pcre:"/\x2fms162cfg\x2ejsp\x3f([sverlcfan]\x3d[^\x26\s]*\x26){8}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/morpheustoolbar.html; classtype:misc-activity; sid:12293; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker 3search runtime detection - update"; flow:to_server,established; content:"/toolbar/cab/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; reference:url,www.downloadfile.org; reference:url,www.softwarerevenue.org; classtype:misc-activity; sid:12296; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware vmn toolbar runtime detection"; flow:to_server,established; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"ver=visicom-vmntoolbar"; fast_pattern; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.download.com/3000-12777_4-10693292.html; classtype:successful-recon-limited; sid:12291; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Infostealer.Monstres runtime detection"; flow:to_server,established; content:"grabv2.php"; fast_pattern; nocase; http_uri; reference:url,www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-081617-4608-99; classtype:misc-activity; sid:12361; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker proventactics 3.5 runtime detection - get cfg information"; flow:to_server,established; content:"/toolbaradmin/simt32.shq"; fast_pattern; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=ProvenTactics&threatid=10038; reference:url,www.spywareguide.com/spydet_1826_proventactics.html; classtype:misc-activity; sid:12364; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker imesh mediabar runtime detection - hijack ie side search"; flow:to_server,established; content:"/sidebar.html?"; fast_pattern; nocase; http_uri; content:"src=ssb"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12368; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker imesh mediabar runtime detection - collect user information"; flow:to_server,established; content:"__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmcs="; nocase; http_uri; content:"utmsr="; nocase; http_uri; content:"utmhn=search.imesh.com"; fast_pattern; nocase; http_uri; content:"utmp="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=imesh&threatid=6994; reference:url,www.spywaredata.com/spyware/malware/mediabar.dll.php; classtype:misc-activity; sid:12369; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker soso toolbar runtime detection - hijack ie auto searches / soso toolbar searches requests"; flow:to_server,established; content:"/q?"; http_uri; content:"w="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"cin="; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid=tb\x2e(addr|sb)/Ui"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.spywareguide.com/spydet_3333_soso_toolbar.html; reference:url,www.xblock.com/product_show.php?id=3333; classtype:misc-activity; sid:12487; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware instant buzz runtime detection - ads for members"; flow:to_server,established; content:"/members.php?"; fast_pattern; nocase; http_uri; content:"username="; nocase; http_uri; content:"auth="; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=(messages|community)/Ui"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=InstantBuzz&threatid=30791; reference:url,www.spywareguide.com/spydet_3102_instant_buzz.html; reference:url,www.spywareremove.com/removeInstantBuzz.html; classtype:misc-activity; sid:12484; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware drive cleaner 1.0.111 runtime detection"; flow:to_server,established; content:"/site_drivecleaner/ad_keyin/link_keyin/aff_keyin"; fast_pattern; nocase; http_uri; content:"Host|3A| stats.drivecleaner.com"; nocase; reference:url,www.spywareguide.com/product_show.php?id=3150; classtype:misc-activity; sid:12620; rev:7;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker onestepsearch 1.0.118 runtime detection - upgrade"; flow:to_server,established; content:"/?vn"; nocase; http_uri; content:"partner=onestep"; nocase; http_uri; content:"ptag="; nocase; http_uri; content:"initial_install="; fast_pattern; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=3762; classtype:misc-activity; sid:12624; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker rabio 4.2 runtime detection - hijack browser"; flow:to_server,established; content:"/10023rel/landing.php"; fast_pattern; nocase; http_uri; content:"Rabio|3A|"; nocase; content:"search-enhancer"; distance:0; nocase; pcre:"/^Rabio\x3a[^\r\n]*search\x2Denhancer/smi"; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:12654; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker rabio 4.2 runtime detection - download updates"; flow:to_server,established; content:"/search-enhancer/updates/se.info"; fast_pattern; nocase; http_uri; reference:url,www.spywareguide.com/spydet_3770_rabio.html; classtype:misc-activity; sid:12655; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware coopen 3.6.1 runtime detection - automatic upgrade"; flow:to_server,established; content:"/ForceUpgrade.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"hdid="; nocase; http_uri; reference:url,www.spywareguide.com/spydet_3326_coopen.html; classtype:misc-activity; sid:12696; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Conspy Update Checking Detected"; flow:established,to_server; content:"quicken_update.php"; fast_pattern; nocase; http_uri; content:"Host|3A| conspy.com"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021210-1340-99&tabid=2se; classtype:misc-activity; sid:12676; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - collect information"; flow:to_server,established; content:"/scripts/security/visit.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"User-Agent|3A| iebar"; nocase; http_header; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:successful-recon-limited; sid:12673; rev:7;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware coopen 3.6.1 runtime detection - initial connection"; flow:to_server,established; content:"/61/param.aspx"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; reference:url,www.spywareguide.com/spydet_3326_coopen.html; classtype:misc-activity; sid:12695; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware searchmiracle elitebar runtime detection - track activity"; flow:to_server,established; content:"/scripts/security/timer.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"seconds="; nocase; http_uri; content:"type="; nocase; http_uri; content:"User-Agent|3A| iebar"; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:successful-recon-limited; sid:12674; rev:7;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ISTBar runtime detection - softwares"; flow:to_server,established; content:"/ist/softwares/"; fast_pattern; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=572; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075516; classtype:misc-activity; sid:12677; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware pestbot runtime detection - update"; flow:to_server,established; content:"/SpyBase/version.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AlertSpy"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AlertSpy/smiH"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.spywareguide.com/spydet_3581_pestbot.html; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; classtype:misc-activity; sid:12720; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware winzix 2.2.0 runtime detection"; flow:to_server,established; content:"/stats/stats.php"; fast_pattern; nocase; http_uri; content:"AppName=WinZix"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; nocase; http_header; pcre:"/^User\x2DAgent\x3a[^\r\n]*WakeSpace/smiH"; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453118801; classtype:successful-recon-limited; sid:12723; rev:7;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sexyvideoscreensaver runtime detection"; flow:to_server,established; content:"/?adv=usernames&p=1"; fast_pattern; nocase; http_uri; content:"Host|3A| icoonet.com"; nocase; reference:url,www.siteadvisor.com/sites/brothersoft.com/downloads/8226422/; reference:url,www.spywareguide.com/spydet_2535_sexyvideoscreensaver.html; classtype:misc-activity; sid:12722; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gralicwrap runtime detection - search frauddb process"; flow:to_server,established; content:"/SearchFraudDBProcess.php?vbfraudURL="; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=GralicWrap&threatid=40183; reference:url,www.spywareguide.com/spydet_2594_gralicwrap.html; classtype:misc-activity; sid:12794; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware partypoker runtime detection"; flow:to_server,established; content:"/utility/client/images/ProductVersion.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| www.partycasino.com"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PartyPoker&threatid=44086; classtype:successful-recon-limited; sid:12790; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker gralicwrap runtime detection - display frauddb information"; flow:to_server,established; content:"/DisplayFraudDBInformation.php?id="; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=GralicWrap&threatid=40183; reference:url,www.spywareguide.com/spydet_2594_gralicwrap.html; classtype:misc-activity; sid:12795; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware gophoria toolbar runtime detection"; flow:to_server,established; content:"/application/app_counter/?gopver="; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,spywaresignatures.com/details.php?spyware=gophoria; reference:url,www.360zd.com/spyware/518.html; reference:url,www.spywareguide.com/spydet_3093_gophoria_toolbar.html; classtype:misc-activity; sid:12791; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware netguarder web cleaner runtime detection"; flow:to_server,established; content:"/update/webcleaner/en/updatelist.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"NetGuarder WebCleaner"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*NetGuarder\s+WebCleaner/smiH"; reference:url,www.ca.com/ca/fr/securityadvisor/pest/pest.aspx?id=453075057; reference:url,www.spywareguide.com/spydet_1824_netguarder_web_cleaner.html; classtype:misc-activity; sid:13284; rev:7;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware jily ie toolbar runtime detection"; flow:to_server,established; content:"/123bar/search.php?"; fast_pattern; nocase; http_uri; content:"sengine="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A| soft.jily.net"; nocase; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=123Bar&threatid=89993; reference:url,www.www.spywareguide.com/product_show.php?id=2425; classtype:misc-activity; sid:13282; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker phazebar runtime detection"; flow:to_server,established; content:"/__utm.gif?"; nocase; http_uri; content:"utmwv="; nocase; http_uri; content:"utmn="; nocase; http_uri; content:"utmhn=www.crawl.ws"; fast_pattern; nocase; http_uri; content:"utmr="; nocase; http_uri; content:"utmp="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.spywareguide.com/spydet_2531_phazebar.html; reference:url,www.spywareremove.com/removePhaZeBar.html; reference:url,www.uninstall-spyware.com/uninstallPhaZeBar.html; classtype:misc-activity; sid:13285; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware netword agent runtime detection"; flow:to_server,established; content:"/q/qry.phtml?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"cx="; nocase; http_uri; content:"cxv="; nocase; http_uri; content:"qs="; nocase; http_uri; content:"get="; nocase; http_uri; reference:url,www.spywareguide.com/spydet_2332_Netword_agent.html; reference:url,www.symantec.com/fr/fr/security_response/writeup.jsp?docid=2006-042614-1031-99; classtype:misc-activity; sid:13277; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker dreambar runtime detection"; flow:to_server,established; content:"/setting/geturl_kword.html"; fast_pattern; nocase; http_uri; content:"uCode="; nocase; http_uri; content:"Host|3A| oper.dreambar.co.kr"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Dreambar&threatid=97491; classtype:misc-activity; sid:13283; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware adult p2p 1.5 runtime detection"; flow:to_server,established; content:"/cgi-bin/nodes.cgi"; fast_pattern; nocase; http_uri; content:"app=Porn2Peer"; nocase; http_uri; content:"version="; nocase; http_uri; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122013; classtype:misc-activity; sid:13238; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware 3wplayer 1.7 runtime detection"; flow:to_server,established; content:"/stats/stats.php"; fast_pattern; nocase; http_uri; content:"AppName=3wPlayer"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*WakeSpace/smiH"; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453120279; reference:url,www.spywareremove.com/remove3wPlayer.html; classtype:misc-activity; sid:13286; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware yourprivacyguard runtime detection - presale request"; flow:to_server,established; content:"/privacy/presale.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"lp="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"air="; nocase; http_uri; content:"lir="; nocase; http_uri; content:"afr="; nocase; http_uri; content:"rem="; nocase; http_uri; reference:url,removers.volyn.net/2007/11/02/yourprivacyguard-removal-tool-remove-yourprivacyguard-pop-ups/; reference:url,www.spywaredetector.net/spyware_encyclopedia/Adware.Yourprivacyguard.htm; classtype:misc-activity; sid:13344; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker baidu toolbar runtime detection - discloses information"; flow:to_server,established; content:"/bdinfo.txt?"; fast_pattern; nocase; http_uri; content:"userip="; nocase; http_uri; content:"url="; nocase; http_uri; content:"navigate="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User\x2DAgent\x3A[^\r\n]*bar\x2Dget/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13482; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 1"; flow:to_server,established; content:"/jump.asp?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; content:"t2t21"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"siteid="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13498; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sofa toolbar runtime detection - records search information"; flow:to_server,established; content:"/cm?"; nocase; http_uri; content:"u="; nocase; http_uri; content:"010.eqiso.com"; fast_pattern; nocase; http_uri; content:"i="; nocase; http_uri; content:"w="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Chinese%20Softomate%20Toolbar&threatid=117814; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag; classtype:misc-activity; sid:13486; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker deepdo toolbar runtime detection - redirects search engine"; flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"word="; nocase; http_uri; content:"tn=deepbar"; fast_pattern; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,www.spywareguide.com/product_show.php?id=3367; classtype:misc-activity; sid:13492; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 2"; flow:to_server,established; content:"/ezt/toolbar/"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13496; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker hbtbar runtime detection - search traffic 2"; flow:to_server,established; content:"/baidu?"; nocase; http_uri; content:"tn=t2t21"; fast_pattern; nocase; http_uri; content:"word="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 100; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13499; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker people pal toolbar runtime detection - traffic for searching"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area="; nocase; http_uri; content:"cgid="; nocase; http_uri; content:"category="; fast_pattern; nocase; http_uri; content:"peoplepal"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 200; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PeoplePal%20Toolbar&threatid=48411; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.PeoplePal; classtype:misc-activity; sid:13489; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - initial traffic 1"; flow:to_server,established; content:"/toolbar/ezt_serverside.xml"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13495; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker baidu toolbar runtime detection - updates automatically"; flow:to_server,established; content:"/update/barcab/"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"id="; nocase; http_uri; content:"version="; nocase; http_uri; pcre:"/update/barcab/.*?tn=.*id=.*version=/smi"; flowbits:set,BaiduToolbar_detection; flowbits:noalert; classtype:misc-activity; sid:13483; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker hbtbar runtime detection - log information"; flow:to_server,established; content:"/log.htm?"; nocase; http_uri; content:"website_id="; fast_pattern; nocase; http_uri; content:"unique="; nocase; http_uri; content:"all_unique="; nocase; http_uri; content:"dpi="; nocase; http_uri; content:"location="; nocase; http_uri; content:"t2t21"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=HDTBar&threatid=15102; reference:url,www.spywareremove.com/removeHDTBar.html; classtype:misc-activity; sid:13500; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker sofa toolbar runtime detection - hijacks search engine"; flow:to_server,established; content:"/search.htm?"; fast_pattern; nocase; http_uri; content:"st="; nocase; http_uri; content:"dir="; nocase; http_uri; content:"wd="; nocase; http_uri; content:"wid="; nocase; http_uri; content:"sofa"; nocase; http_uri; content:"version="; nocase; http_uri; content:"soft"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Chinese%20Softomate%20Toolbar&threatid=117814; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Softomate.ag; classtype:misc-activity; sid:13485; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker deepdo toolbar runtime detection - automatic update"; flow:to_server,established; content:"/download/toolbar.ini"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"DeepdoUpdate"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*DeepdoUpdate/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,www.spywareguide.com/product_show.php?id=3367; classtype:misc-activity; sid:13493; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ez-tracks toolbar runtime detection - tracking traffic"; flow:to_server,established; content:"/TBTracking/TrackLinkClicks.cfm?"; fast_pattern; nocase; http_uri; content:"linkID="; nocase; http_uri; content:"ToolBarID="; nocase; http_uri; content:"TBSearch="; nocase; http_uri; content:"Host|3A| ez-tracks.com"; nocase; threshold:type limit, track by_src, count 1, seconds 100; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,www.spywareremove.com/removeEZTracks.html; classtype:misc-activity; sid:13497; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker baidu toolbar runtime detection - hijacks search engine"; flow:to_server,established; content:"/baidu?"; fast_pattern; nocase; http_uri; content:"tn="; nocase; http_uri; content:"baiducb"; nocase; http_uri; content:"word="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=44261; reference:url,www.spywareguide.com/product_show.php?id=1250; classtype:misc-activity; sid:13481; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker kompass toolbar runtime detection - search traffic"; flow:to_server,established; content:"/kinl/static/index_kitoolbar.php?"; fast_pattern; nocase; http_uri; content:"_Choix="; nocase; http_uri; content:"_Lang="; nocase; http_uri; content:"_Zone="; nocase; http_uri; content:"Kprov=Toolbar"; nocase; http_uri; content:"_Keyword="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kompass&threatid=70475; reference:url,spywaresignatures.com/details/kompasstoolbar.pdf; classtype:misc-activity; sid:13560; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker kword interkey runtime detection - log user info"; flow:to_server,established; content:"/dwi_log/catch?"; fast_pattern; nocase; http_uri; content:"C="; nocase; http_uri; content:"V="; nocase; http_uri; content:"E="; nocase; http_uri; content:"R="; nocase; http_uri; content:"www.kword.co.kr"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 50; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13558; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker kword interkey runtime detection - search traffic 1"; flow:to_server,established; content:"/kwordenter.asp?"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"ver=KW"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*vb\s+wininet/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Kword.InterKey&threatid=46477; reference:url,www.noadware.net/research/index2.php?item_id=2656&item_name=Kword.InterKey; classtype:misc-activity; sid:13556; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware system doctor runtime detection - update status"; flow:to_server,established; content:"/stats.php?"; nocase; http_uri; content:"site_id=systemdoctor"; fast_pattern; nocase; http_uri; content:"lp="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ref="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"USDR"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n].*USDR\d+/smiH"; reference:url,www.2-spyware.com/remove-systemdoctor.html; reference:url,www.spywareguide.com/spydet_3049_systemdoctor_2006.html; classtype:misc-activity; sid:13564; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware system doctor runtime detection - presale request"; flow:to_server,established; content:"/download/2006/order.php?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"Host|3A| systemdoctor.com"; nocase; reference:url,www.2-spyware.com/remove-systemdoctor.html; reference:url,www.spywareguide.com/spydet_3049_systemdoctor_2006.html; classtype:misc-activity; sid:13563; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker mxs toolbar runtime detection"; flow:to_server,established; content:"/toolbar/search.php?"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.mxs.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emxs\x2Eco\x2Ekr/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MXS.Toolbar&threatid=97487; classtype:misc-activity; sid:13645; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware virus heat runtime detection - initial database connection"; flow:to_server,established; content:"/db/dbver.dat"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"VirusHeat"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*VirusHeat/smiH"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453124583; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=VirusHeat&threatid=203189; classtype:misc-activity; sid:13638; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locmag toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/multi_search/"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.locmag.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Elocmag\x2Ecom/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Locmag%20Toolbar&threatid=48497; reference:url,www.360zd.com/spyware/433.html; classtype:misc-activity; sid:13640; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware cashfiesta adbar runtime detection - updates traffic"; flow:to_server,established; content:"/partners/alex.php?"; fast_pattern; nocase; http_uri; content:"t="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashfiesta.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Ecashfiesta\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashFiesta%20AdBar&threatid=42051; classtype:misc-activity; sid:13653; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware spyware stop runtime detection - auto updates"; flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SpywareStop"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpywareStop/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SpywareStop&threatid=205898; reference:url,www.prevx.com/filenames/1299278770072512825-0/SPYWARESTOP.MSI.html; classtype:misc-activity; sid:13650; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker mysearch bar 2.0.2.28 runtime detection"; flow:to_server,established; content:"/jsp/"; nocase; http_uri; content:"?st=bar"; nocase; http_uri; content:"searchfor="; fast_pattern; nocase; http_uri; pcre:"/jsp\/(GG(main|img|dirs?)|A(jmain|wns|wimg|wvid|waud)|Lsmain)\x2Ejsp\?st=bar&searchfor=/Ui"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=My%20Search%20Bar&threatid=14832; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.My+Search+Bar; classtype:misc-activity; sid:13648; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware winxdefender runtime detection - auto update"; flow:to_server,established; content:"/checkupdate.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"WinXDefender.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*WinXDefender\x2Ecom/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinXDefender&threatid=155747; reference:url,www.411-spyware.com/remove-winxdefender; classtype:misc-activity; sid:13766; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #2"; flow:to_server,established; content:"/dosearch/search.html?"; fast_pattern; nocase; http_uri; content:"EngineID=musicoffaith"; nocase; http_uri; content:"LinkID="; nocase; http_uri; content:"refer=mof_toolbar"; nocase; http_uri; content:"keywords="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Music%20of%20Faith&threatid=47479; reference:url,www.spywareterminator.com/item/3836/MusicOfFaith.html; classtype:misc-activity; sid:13772; rev:5;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware proofile toolbar runtime detection"; flow:to_server,established; content:"/xml_toolbar.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Toolbar"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.proofile.com"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Toolbar/smiH"; pcre:"/^Host\x3a[^\r\n]*www\x2Eproofile\x2Ecom/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Proofile%20Toolbar&threatid=127931; classtype:successful-recon-limited; sid:13779; rev:6;) [8359] 3/2/2011 -- 14:39:04 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker ezreward runtime detection"; flow:to_server,established; content:"/keyword/keyword_list.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"EzReward"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*EzReward/smiH"; reference:url,research.sunbeltsoftware.com/threatdisplay.aspx?name=ezReward&threatid=144116; reference:url,www.sophos.com/security/analyses/adware-and-puas/ezreward.html; classtype:misc-activity; sid:13782; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchnine toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/response.php?"; fast_pattern; nocase; http_uri; content:"search="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"searchnine.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*searchnine\x2Ecn/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SearchNine&threatid=117435; reference:url,spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892; classtype:misc-activity; sid:13769; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware syscleaner runtime detection - get update"; flow:to_server,established; content:"/get_lic.php?"; fast_pattern; nocase; http_uri; content:"action="; nocase; http_uri; content:"id="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"context="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SysCleaner"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SysCleaner/smiH"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453123831; reference:url,spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.SysCleaner.htm; classtype:successful-recon-limited; sid:13777; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker searchnine toolbar runtime detection - redirects search function"; flow:to_server,established; content:"/s?"; nocase; http_uri; content:"tn=searchnine_dg"; fast_pattern; nocase; http_uri; content:"wd="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SearchNine&threatid=117435; reference:url,spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892; classtype:misc-activity; sid:13770; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker find.fm toolbar runtime detection - hijacks address bar"; flow:to_server,established; content:"/search.php?"; fast_pattern; nocase; http_uri; content:"aid="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.find.fm"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Efind\x2Efm/smiH"; reference:url,www.spywareguide.com/product_show.php?id=2360; reference:url,www.spywaresignatures.com/details.php?spyware=find.fmtoolbar; classtype:misc-activity; sid:13781; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker music of faith toolbar runtime detection - hijacks search engine traffic #1"; flow:to_server,established; content:"/search.html?"; fast_pattern; nocase; http_uri; content:"catch="; nocase; http_uri; content:"keywords="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"musicoffaith"; nocase; http_header; pcre:"/^Host\x3a[^\r\n].*musicoffaith/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Music%20of%20Faith&threatid=47479; reference:url,www.spywareterminator.com/item/3836/MusicOfFaith.html; classtype:misc-activity; sid:13771; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler zwinky runtime detection"; flow:to_server,established; content:"/registration/logins.jhtml?"; fast_pattern; nocase; http_uri; content:"caller=desktop"; nocase; http_uri; content:"action=check"; nocase; http_uri; content:"username="; nocase; http_uri; content:"dt="; nocase; http_uri; reference:url,www.castlecops.com/p970801-Zwinky_MyWebSearch_Installer.html; reference:url,www.emsisoft.net/fr/malware/?Adware.Win32.Zwinky_Test; classtype:misc-activity; sid:13848; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware phoenician casino runtime detection"; flow:to_server,established; content:"/viperML/phoenician/phoenician.cab"; fast_pattern; nocase; http_uri; reference:url,spywaredetector.net/spyware_encyclopedia/Adware.Phoenician%20.htm; reference:url,www.spywareguide.com/spydet_3441_phoenician_casino.html; classtype:misc-activity; sid:13847; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker alot toolbar runtime detection - weather request"; flow:to_server,established; content:"/widgets/weather/tb"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"widget.alot.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*widget\x2ealot\x2ecom/smiH"; reference:url,www.pchell.com/support/alot.shtml; reference:url,www.spywareremove.com/removeALOTToolbar.html; classtype:misc-activity; sid:13853; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker bitroll 5.0 runtime detection"; flow:to_server,established; content:"/banner.php?"; nocase; http_uri; content:"skin=Flexi.skf"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.411-spyware.com/remove-bitroll; reference:url,www.spywareremove.com/removeBitroll.html; classtype:misc-activity; sid:13852; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker alot toolbar runtime detection - auto update"; flow:to_server,established; content:"/update/update_configs/update_config_11077_0.xml?"; fast_pattern; nocase; http_uri; content:"src_id="; nocase; http_uri; content:"camp_id="; nocase; http_uri; content:"tb_version="; nocase; http_uri; content:"pr=tbar"; nocase; http_uri; content:"client_id="; nocase; http_uri; content:"install_time="; nocase; http_uri; reference:url,www.pchell.com/support/alot.shtml; reference:url,www.spywareremove.com/removeALOTToolbar.html; classtype:misc-activity; sid:13854; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware coopen 5.0.0.87 runtime detection - init conn"; flow:to_server,established; content:"/87/param.aspx?"; fast_pattern; nocase; http_uri; content:"groupID="; nocase; http_uri; content:"spaceIDs="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"ver=5.0.0.87"; nocase; http_uri; reference:url,www.spywareguide.com/spydet_3326_coopen.html; reference:url,www.spywaresignatures.com/details.php?spyware=coopen; classtype:misc-activity; sid:13870; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler fushion 1.2.4.17 runtime detection - notice"; flow:to_server,established; content:"/sobar/notice/notice_baiducb.txt?"; fast_pattern; nocase; http_uri; content:"tn=funshion"; nocase; http_uri; content:"ss="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"bar-get"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*bar\x2dget/smiH"; reference:url,www.siteadvisor.pl/sites/funshion.com/downloads/11570528/; classtype:misc-activity; sid:13872; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware antispywaremaster runtime detection - start fake scanning"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; fast_pattern; nocase; http_uri; content:"err="; nocase; http_uri; reference:url,www.spywareremove.com/removeAntiSpywareMaster.html; reference:url,www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions; classtype:misc-activity; sid:13868; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware antispywaremaster runtime detection - sale/register request"; flow:to_server,established; content:"/data/sale.php?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UASM"; nocase; http_uri; content:"nid=UASM"; nocase; http_uri; reference:url,www.spywareremove.com/removeAntiSpywareMaster.html; reference:url,www.xp-vista.com/spyware-removal/antispywaremaster-antispyware-master-removal-instructions; classtype:misc-activity; sid:13869; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware coopen 5.0.0.87 runtime detection - ads"; flow:to_server,established; content:"/Adpic/"; fast_pattern; nocase; http_uri; content:".jpg"; nocase; http_uri; pcre:"/\x2fAdpic\x2f\d+\x2f\d+ad\x28\d+\x2c\d+\x2c\d+\x2c\d+\x29\x2ejpg/Ui"; reference:url,www.spywareguide.com/spydet_3326_coopen.html; reference:url,www.spywaresignatures.com/details.php?spyware=coopen; classtype:misc-activity; sid:13871; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler fushion 1.2.4.17 runtime detection - underground traffic"; flow:to_server,established; content:"/account_logout"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xikee.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xikee\x2ecom/smiH"; reference:url,www.siteadvisor.pl/sites/funshion.com/downloads/11570528/; classtype:misc-activity; sid:13873; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware malware destructor 4.5 runtime detection - auto update"; flow:to_server,established; content:"/application/appver.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"MalwareDestructor"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*MalwareDestructor/smiH"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453116773; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-090713-4427-99; classtype:misc-activity; sid:13875; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler pc privacy cleaner runtime detection - order/register request"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=UPCPC"; nocase; http_uri; content:"nid=UPCPC"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"UPCPC"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*UPCPC/smiH"; reference:url,malware-remover.com/pcprivacycleaner-removal-tool-pc-privacy-cleaner/; reference:url,www.xp-vista.com/spyware-removal/pcprivacycleaner-pc-privacy-cleaner-removal-instructions; classtype:misc-activity; sid:13930; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection"; flow:to_server,established; content:"/ver.txt"; fast_pattern; nocase; http_uri; flowbits:set,AdWare_Ejik.ec_Detection; flowbits:noalert; classtype:misc-activity; sid:13938; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler dropper agent.rqg runtime detection"; flow:to_server,established; content:"/cc.txt"; fast_pattern; nocase; http_uri; flowbits:set,Dropper_Agent.rqg_Detection; flowbits:noalert; classtype:trojan-activity; sid:13943; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker adware.win32.ejik.ec variant runtime detection - call home"; flow:to_server,established; content:"/topnew/passdomain.txt"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.web228.cn"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2eweb228\x2ecn/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Ejik.ec&threatid=281451; reference:url,www.emsisoft.fr/fr/malware/?Adware.Win32.Ejik.ec; classtype:misc-activity; sid:13937; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cashon runtime detection - hijack ie searches"; flow:to_server,established; content:"/search/search.php?"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.cashon.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2ecashon\x2eco\x2ekr/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashOn&threatid=53428; reference:url,vil.nai.com/vil/content/v_142287.htm; classtype:misc-activity; sid:14063; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware winspywareprotect runtime detection - download malicous code"; flow:to_server,established; content:"/mxlivemedia/multi/73.exe"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Installer"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Installer/smiH"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14078; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler antimalware guard runtime detection - order/register request"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UAMG"; nocase; http_uri; content:"aa="; nocase; http_uri; content:"al="; nocase; http_uri; content:"af="; nocase; http_uri; content:"an="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"nid=3P_UAMG"; nocase; http_uri; reference:url,www.spyware-techie.com/how-to-remove-anti-malware-guard/; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:14061; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware AdwareALERT runtime detection - auto update"; flow:to_server,established; content:"/update/info"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AdwareAlert"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AdwareAlert/smiH"; reference:url,www.2-spyware.com/remove-adwarealert.html; reference:url,www.411-spyware.com/remove-adwarealert; classtype:misc-activity; sid:14054; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware winspywareprotect runtime detection - connection to malicious server"; flow:to_server,established; content:"/confuci.php?"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"xiphoman.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*xiphoman\x2Ecom/smiH"; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453132073; reference:url,www.spywareremove.com/removeWinSpywareProtect.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042206-4253-99&tabid=1; classtype:misc-activity; sid:14080; rev:6;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cashon runtime detection - auto update"; flow:to_server,established; content:"/app/cashonband/bin/CashOnUpdate.exe"; fast_pattern; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CashOn&threatid=53428; reference:url,vil.nai.com/vil/content/v_142287.htm; classtype:misc-activity; sid:14064; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler antimalware guard runtime detection - auto update"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"proto="; nocase; http_uri; content:"ac="; nocase; http_uri; content:"abbr=3P_UAMG"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"rc=3P_UAMG"; nocase; http_uri; reference:url,www.spyware-techie.com/how-to-remove-anti-malware-guard/; reference:url,www.xp-vista.com/spyware-removal/antimalwareguard-antimalware-guard-removal-instructions; classtype:misc-activity; sid:14062; rev:5;) [8359] 3/2/2011 -- 14:39:05 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cpush 2 runtime detection - auto update"; flow:to_server,established; content:"/cpush/version.txt?"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"CPUSH_UPDATER"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*CPUSH\x5fUPDATER/smiH"; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453101269; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99; classtype:misc-activity; sid:14060; rev:6;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker rediff toolbar runtime detection - hijack ie auto search"; flow:to_server,established; content:"/dirsrch/default.asp?"; fast_pattern; nocase; http_uri; content:"MT="; nocase; http_uri; content:"mode=toolbar"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"search.rediff.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*search\x2erediff\x2ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; reference:url,secwatch.org/exploits/2007/03/Rediff.Toolbar_DoS.html.info; reference:url,www.fbmsoftware.com/spyware-net/application/Rediff_Toolbar/; classtype:misc-activity; sid:14055; rev:6;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware fftoolbar toolbar runtime detection - display advertisement news"; flow:to_server,established; content:"/downloads/toolbar/ticker.xml"; fast_pattern; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5922; rev:9;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware zango toolbar runtime detection"; flow:to_server,established; content:"/smartoffers/so.aspx"; fast_pattern; nocase; http_uri; content:"svc="; nocase; http_uri; content:"opener=rm_zango"; nocase; http_uri; content:"kw="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"resultsmaster.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*resultsmaster\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2298; classtype:misc-activity; sid:8073; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker seeqtoolbar runtime detection - autosearch hijack or search in toolbar"; flow:to_server,established; content:"/results.jsp"; nocase; http_uri; content:"portal_id="; nocase; http_uri; content:"domain=seeq.com"; fast_pattern; nocase; http_uri; content:"tag=toolbar"; nocase; http_uri; content:"keyword="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5981; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware purityscan runtime detection - start up"; flow:to_server,established; content:"/cs/pop4/"; fast_pattern; nocase; http_uri; content:".html"; nocase; http_uri; pcre:"/\x2Fcs\x2Fpop4\x2F((frame_ver2)|(UI2))\x2Ehtml/Ui"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7557; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware seekmo runtime detection - reporting keyword"; flow:to_server,established; content:"/showme.aspx?keyword="; fast_pattern; nocase; http_uri; content:"Host|3A| tv.seekmo.com"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2368; classtype:misc-activity; sid:6192; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware hotblox toolbar runtime detection - toolbar find function"; flow:to_server,established; content:"/custom?"; nocase; http_uri; content:"sourceid=toolbar.hotblox.com"; fast_pattern; nocase; http_uri; content:"client="; nocase; http_uri; content:"forid="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"cof="; nocase; http_uri; content:"hl="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7527; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - url retrieval"; flow:to_server,established; content:"/."; nocase; http_uri; content:"urlfile="; nocase; http_uri; content:"client=TFLS"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7191; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cws.cameup runtime detection - search"; flow:to_server,established; content:"/searchtb.php?q="; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"fast-look.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*fast-look\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079081; classtype:misc-activity; sid:6481; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler VX2/DLmax/BestOffers/Aurora runtime detection"; flow:to_server,established; content:"/a/Drk.syn"; nocase; http_uri; content:"adcontext="; nocase; http_uri; content:"countrycodein="; fast_pattern; nocase; http_uri; content:"lastAdTime="; nocase; http_uri; content:"lastAdCode="; nocase; http_uri; content:"cookie1="; nocase; http_uri; content:"cookie2="; nocase; http_uri; content:"cookie3="; nocase; http_uri; content:"cookie4="; nocase; http_uri; content:"InstID="; nocase; http_uri; content:"status="; nocase; http_uri; content:"smode="; nocase; http_uri; content:"bho="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.g [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware iggsey toolbar detection - simpleticker.htm request"; flow:to_server,established; content:"/Browser/CT48638/1_Simpleticker.htm"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5949; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware altnet runtime detection - status report"; flow:to_server,established; content:"/backoffice.net/stats/Add.aspx"; fast_pattern; nocase; http_uri; content:"ST="; nocase; http_uri; content:"PN=Altnet"; nocase; http_uri; content:"AN=Altnet"; nocase; http_uri; content:"LN="; nocase; http_uri; content:"DN="; nocase; http_uri; content:"GR="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.altnet.com"; nocase; http_header; pcre:"/^HOST\x3A[^\r\n]*www\x2Ealtnet\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1369; reference:url,www.spywareremove.com/removeAltnet.html; cl [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler album galaxy runtime detection - p2p gnutella"; flow:to_server,established; content:"/P2P/gnutella/cache/gerry.asp"; fast_pattern; nocase; http_uri; content:"urlfile="; nocase; http_uri; content:"client=GALA"; nocase; http_uri; content:"version="; nocase; http_uri; content:"get="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,codegravity.com/index.php/spyware; classtype:misc-activity; sid:7573; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler spyblocs eblocs detection - stbarpat.dat"; flow:to_server,established; content:"/products/stbar/stbarpat.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6373; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker clearsearch variant runtime detection - pass information"; flow:to_server,established; content:"/fast-cgi/bsc?"; nocase; http_uri; content:"mandant=clear"; nocase; http_uri; content:"synd=clear"; nocase; http_uri; content:"device="; nocase; http_uri; content:"portalLanguage="; fast_pattern; nocase; http_uri; content:"userLanguage="; nocase; http_uri; content:"context="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"q="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7535; rev:7; [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler edonkey2000 runtime detection - get ads page"; flow:to_server,established; content:"/scripts/adscript4.php"; fast_pattern; nocase; http_uri; content:"country="; nocase; http_uri; content:"dummy="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"sda.edonkey.com"; nocase; http_header; content:"User-Agent|3A|"; nocase; http_header; content:"ed2k"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*sda\x2Eedonkey\x2Ecom.*User-Agent\x3A[^\r\n]*ed2k/smiH"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.fbmsoftware.com/spyware-net/Process/edonkey2000_exe/705/; classtype:misc-activity; sid:7511; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware arrow search runtime detection"; flow:to_server,established; content:"User-Agent|3A| Arrow Search"; fast_pattern; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.rt-software.co.uk/arrow_search/index.html; classtype:successful-recon-limited; sid:7537; rev:5;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hotbar runtime detection - hostie user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hostie"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hostie/Hsmi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6251; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware hotblox toolbar runtime detection - barad.asp request"; flow:to_server,established; content:"/searchapp/barad.asp?"; fast_pattern; nocase; http_uri; content:"searchkey="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"toolbar.hotblox.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*toolbar\x2Ehotblox\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7525; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker bazookabar runtime detection"; flow:to_server,established; content:"/updates/checkversion.php"; fast_pattern; nocase; http_uri; content:"id="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.myarmory.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Emyarmory\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073886; classtype:misc-activity; sid:10438; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - startup access"; flow:to_server,established; content:"/index-tfc.php"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"trustyfiles"; nocase; http_header; content:"com"; nocase; http_header; pcre:"/^Host|3A|[^\r\n]*trustyfiles\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7193; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware targetsaver runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"TSA/"; fast_pattern; nocase; http_header; content:"Ts2/"; nocase; http_header; content:"OS/"; nocase; http_header; content:"IE/"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?TSA\x2F[^\r\n]*?Ts2\x2F[^\r\n]*?OS\x2F[^\r\n]*?IE\x2F[^\r\n]*?CD\x2F[^\r\n]*?UID\x2F[^\r\n]*?AID\x2F/HsmiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1914; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090707; classtype:misc-activity; sid:6343; rev:6;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware purityscan runtime detection - track user activity and status"; flow:to_server,established; content:"/count.cgi?clickspring"; nocase; http_uri; content:"www.clickspring.net/cs/pop4/frame_ver2.html"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7559; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Snoopware halflife jacker runtime detection"; flow:to_server,established; content:"from=HL-Jacker"; nocase; http_uri; content:"body=key"; nocase; http_uri; content:"fromemail=Jacked"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/h/halflifejacker/Halflifejacker1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077199; classtype:successful-recon-limited; sid:7529; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware cashbar runtime detection - pop-up ad 2"; flow:to_server,established; content:"/asp/offers.asp?url=http|3A|/cashsurfers.metareward.com"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5930; rev:10;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker moneybar runtime detection - cgispy counter"; flow:to_server,established; content:"/counter3.cgi?"; fast_pattern; nocase; http_uri; content:"p=moneytreck"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.aladdin.com/home/csrt/grayware-list2.asp?GraywareNo=277; classtype:misc-activity; sid:7524; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker couponbar runtime detection - get updates to toolbar buttons"; flow:to_server,established; content:"/CouponBar/CBXmlFiles/"; fast_pattern; nocase; http_uri; content:".bmp"; nocase; http_uri; content:"User-Agent|3A| Toolbar"; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 900; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079137; classtype:misc-activity; sid:5867; rev:9;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware deluxecommunications runtime detection - collect info"; flow:to_server,established; content:"/requestimpression.aspx"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"host="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.dxcdirect.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*media\x2Edxcdirect\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974; classtype:successful-recon-limited; sid:8542; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler nictech.bm2 runtime detection"; flow:to_server,established; content:"/cgi-bin/PopupV"; fast_pattern; nocase; http_uri; content:"type="; nocase; http_uri; content:"mSkip="; nocase; http_uri; content:"rnd="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,"research.sunbelt-software.com/threat_display.cfm?name=NicTech.BM2&threatid=15195"; classtype:misc-activity; sid:5836; rev:9;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT adware surfaccuracy runtime detection"; flow:to_server,established; content:"/sacc/popup.php"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SAcc"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*SAcc/smiH"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfaccuracy.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094263; classtype:misc-activity; sid:6363; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler album galaxy runtime detection - startup data"; flow:to_server,established; content:"/data/startup.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"DigExt"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*DigExt/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,codegravity.com/index.php/spyware; classtype:misc-activity; sid:7572; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware adpowerzone runtime detection"; flow:to_server,established; content:"/advertpro/servlet/view/dynamic/html/campaign"; fast_pattern; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.top-banners.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*media\x2Etop-banners\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1299; classtype:misc-activity; sid:6496; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware hotblox toolbar runtime detection - stat counter"; flow:to_server,established; content:"/t.php?"; nocase; http_uri; content:"sc_project="; nocase; http_uri; content:"resolution="; nocase; http_uri; content:"camefrom="; nocase; http_uri; content:"u="; nocase; http_uri; content:"toolbar.hotblox.com/searchapp/barad.asp"; fast_pattern; nocase; http_uri; content:"t=barad"; nocase; http_uri; content:"java="; nocase; http_uri; content:"security="; nocase; http_uri; content:"sc_random="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,sparkles.nu/spy/proceed-34.html; classtype:successful-recon-limited; sid:7526; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler minibug runtime detection - retrieve weather information"; flow:to_server,established; content:"/WxDataISAPI/WxDataISAPI.cgi"; fast_pattern; nocase; http_uri; content:"Magic="; nocase; http_uri; content:"RegNum="; nocase; http_uri; content:"ZipCode="; nocase; http_uri; content:"StationID="; nocase; http_uri; content:"Units="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"Fore="; nocase; http_uri; content:"t="; nocase; http_uri; content:"lv="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.weatherbug.html; reference:url,www.spywareguide.com/produ [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; content:"PG=SPEEDBAR"; fast_pattern; nocase; http_uri; pcre:"/\.(jsp)|(html)\?[^\r\n]*PG=SPEEDBAR/Ui"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:8;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware fftoolbar toolbar runtime detection - send user url request"; flow:to_server,established; content:"/downloads/toolbar/related.asp"; fast_pattern; nocase; http_uri; content:"cli="; nocase; http_uri; content:"dat="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"uid="; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A| www.fast-finder.com"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.symantec.com/avcenter/venc/data/adware.fftoolbar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097640; classtype:successful-recon-limited; sid:5921; rev:9;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware powerstrip runtime detection"; flow:to_server,established; content:"/Subscriptions/NewsFeed.asp?"; fast_pattern; nocase; http_uri; content:"selection="; nocase; http_uri; content:"distribution="; nocase; http_uri; content:"User-Agent|3A| POWRSTRP"; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=522; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074932; classtype:misc-activity; sid:5983; rev:9;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"SPYWARE-PUT Adware trustyfiles v3.1.0.1 runtime detection - sponsor selection"; flow:to_server,established; content:"/rd/feed/XMLFeed.jsp"; fast_pattern; nocase; http_uri; content:"trackID="; nocase; http_uri; content:"pID="; nocase; http_uri; content:"cat="; nocase; http_uri; content:"nl="; nocase; http_uri; content:"page="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"excID="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.softpicks.net/software/TrustyFiles-Personal-File-Sharing-13308.htm; classtype:misc-activity; sid:7192; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware whenu runtime detection - search request 2"; flow:to_server,established; content:"/searchb?"; nocase; http_uri; content:"datatype="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"app=desktop"; fast_pattern; nocase; http_uri; content:"ui="; nocase; http_uri; content:"srchtrig="; nocase; http_uri; content:"pat="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"type="; nocase; http_uri; content:"sid="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=18; reference:url,www.spywareguide.com/ [8359] 3/2/2011 -- 14:39:06 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware earthlink toolbar runtime detection - search toolbar request 2"; flow:to_server,established; content:"/search?"; nocase; http_uri; content:"area=earthlink-ws-altsearchbox"; fast_pattern; nocase; http_uri; content:"q="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,castlecops.com/startuplist-1068.html; classtype:successful-recon-limited; sid:7522; rev:7;) [8359] 3/2/2011 -- 14:39:06 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hotbar runtime detection - hotbar user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"hotbar"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*?hotbar/Hsmi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6250; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware imnames runtime detection"; flow:to_server,established; content:"/bho/ibho.php"; fast_pattern; nocase; http_uri; content:"add="; nocase; http_uri; content:"hdid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"ie="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"modid="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453100875; classtype:misc-activity; sid:9644; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker linkspider search bar runtime detection - ads"; flow:to_server,established; content:"/pagead/ads?"; nocase; http_uri; content:"www.linkspider.co.uk/cgi-bin/cgsearch/cgsearch.cgi"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,linkspider.co.uk; classtype:misc-activity; sid:7570; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker freecruise toolbar runtime detection"; flow:to_server,established; content:"User-Agent|3A| FCTB1"; fast_pattern; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; classtype:misc-activity; sid:7050; rev:5;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware adclicker-ej runtime detection"; flow:to_server,established; content:"/SetIE/SetIE.txt"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,vil.nai.com/vil/content/v_139523.htm; classtype:misc-activity; sid:10164; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware supreme toolbar runtime detection - get cfg"; flow:to_server,established; content:"/desktop/"; nocase; http_uri; content:"/toolbar/supremetb"; fast_pattern; nocase; http_uri; content:".cfg"; nocase; http_uri; pcre:"/\x2Fdesktop\x2F\d+\x2Ftoolbar\x2Fsupremetb\d+\.cfg/Ui"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097530; classtype:successful-recon-limited; sid:5939; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker coolwebsearch.aboutblank variant runtime detection"; flow:to_server,established; content:"/open_console_out.php"; fast_pattern; nocase; http_uri; content:"n="; nocase; http_uri; content:"pin="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; classtype:misc-activity; sid:5794; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker getmirar runtime detection - track activity"; flow:to_server,established; content:"/v70click.cgi?"; fast_pattern; nocase; http_uri; content:"u="; nocase; http_uri; content:"adurl="; nocase; http_uri; content:"adtitle="; nocase; http_uri; content:"adbody="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077933; classtype:misc-activity; sid:5993; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcasturban tuner runtime detection - connect to station"; flow:to_server,established; content:"/newsurfer4/"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"title="; nocase; http_uri; content:"artist="; nocase; http_uri; content:"show="; nocase; http_uri; content:"call="; nocase; http_uri; content:"archive="; nocase; http_uri; pcre:"/\x2Fnewsurfer4\x2F[a-zA-Z0-9_-]*\.asp\?brand=/Ui"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:mi [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware myway speedbar / mywebsearch toolbar runtime detection - collect information"; flow:to_server,established; content:"/images/nocache/tr/gca/m.gif?"; fast_pattern; nocase; http_uri; content:"rand="; nocase; http_uri; content:"a="; nocase; http_uri; content:"u="; nocase; http_uri; content:"r="; nocase; http_uri; content:"w="; nocase; http_uri; content:"myway.com"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware broadcasturban tuner runtime detection - start tuner"; flow:to_server,established; content:"/newsurfer4/mainplocal.htm?"; fast_pattern; nocase; http_uri; content:"brand="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"call="; nocase; http_uri; content:"speed="; nocase; http_uri; content:"unlock="; nocase; http_uri; content:"archive="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=BroadcastURBAN%20tuner&threatid=6093; classtype:misc-activity; sid:5825; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware digink.com runtime detection"; flow:to_server,established; content:"/mbop/index.php3"; fast_pattern; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Microsoft"; nocase; http_header; content:"URL"; nocase; http_header; content:"Control"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"www.digink.com"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Microsoft\s+URL\s+Control\s+-/smiH"; pcre:"/^Host\x3A\s+www\x2Edigink\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.nuker.com/container/details/snackman.php; reference:url,www.techsupportforum.com/archive/index.php/t-46308.ht [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler spyblocs eblocs detection - get spyblpat.dat/spyblini.ini"; flow:to_server,established; content:"/products/spyblocs/"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"download.eblocs.com"; nocase; http_header; pcre:"/\x2Fproducts\x2Fspyblocs\x2F(spyblpat\d*\x2Edat\x2E\d+)|(spyblini\x2Eini)/UiH"; pcre:"/^Host\x3A[^\r\n]*download\x2Eeblocs\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6374; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locatorstoolbar runtime detection - sidebar search"; flow:to_server,established; content:"/search.php?"; nocase; http_uri; content:"sidebar=method"; fast_pattern; nocase; http_uri; content:"que="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5916; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker shopnav runtime detection - self-update request 1"; flow:to_server,established; content:"/9899/srng/reg.php?"; fast_pattern; nocase; http_uri; content:"IpAddr="; nocase; http_uri; content:"OS="; nocase; http_uri; content:"RegistryChanged="; nocase; http_uri; content:"RegistryUpdate="; nocase; http_uri; content:"Basedir="; nocase; http_uri; content:"SrngInstalled="; nocase; http_uri; content:"SrngVer="; nocase; http_uri; content:"PCID="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=582; classtype:misc-activity; sid:5890; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware purityscan runtime detection - installation notify"; flow:to_server,established; content:"/install/notify.php?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"module="; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"result="; nocase; http_uri; content:"message="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7558; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware cashbar runtime detection - stats track"; flow:to_server,established; content:"/cgi-bin/connect.cgi?"; nocase; http_uri; content:"usr="; nocase; http_uri; content:"url="; nocase; http_uri; content:"title=CashSurfers"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1340; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076621; classtype:misc-activity; sid:5932; rev:10;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker yok supersearch runtime detection - target website display"; flow:to_server,established; content:"/related_bottom_v2.php"; fast_pattern; nocase; http_uri; content:"key="; nocase; http_uri; content:"No="; http_uri; content:"Host|3A|"; nocase; content:"related.yok.com"; distance:0; nocase; pcre:"/^Host\x3a[^\r\n]*related\x2Eyok\x2Ecom/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Yok.SuperSearch&threatid=44407; classtype:misc-activity; sid:8359; rev:9;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware eqiso runtime detection"; flow:to_server,established; content:"/cm"; http_uri; content:"toolbar.eqiso.com"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Eqiso&threatid=88999; classtype:misc-activity; sid:10180; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker girafa toolbar - browser hijack"; flow:to_server,established; content:"/srv/i?i="; fast_pattern; nocase; http_uri; content:"r=http"; nocase; http_uri; content:"m=srch"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1135; classtype:misc-activity; sid:6377; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locatorstoolbar runtime detection - configuration download"; flow:to_server,established; content:"/download/toolbar/locatorstoolbar"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5914; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler spyblocs eblocs detection - get wsliveup.dat"; flow:to_server,established; content:"/wsliveup/advisor/wsliveup.dat"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"spybl.cyberdefender.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*spybl\x2Ecyberdefender\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088571; classtype:misc-activity; sid:6372; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware download accelerator plus runtime detection - get ads"; flow:to_server,established; content:"/cgi-bin/ads9.dll?"; fast_pattern; nocase; http_uri; content:"HTML="; nocase; http_uri; content:"DAUI="; nocase; http_uri; content:"INC="; nocase; http_uri; content:"DL="; nocase; http_uri; content:"CX="; nocase; http_uri; content:"CY="; nocase; http_uri; content:"IIA="; nocase; http_uri; content:"IIG="; nocase; http_uri; content:"IIP="; nocase; http_uri; content:"III="; nocase; http_uri; content:"V="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert; reference:url,reviews.cnet.com/Downloa [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware comedy planet runtime detection - ads"; flow:to_server,established; content:"/advertisement/advertisement.php?"; fast_pattern; nocase; http_uri; content:"systemTray="; nocase; http_uri; content:"joke_category="; nocase; http_uri; content:"joke_id="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,labs.paretologic.com/spyware.aspx?remove=Comedy-Planet; classtype:misc-activity; sid:7594; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware ares flash downloader 2.04 runtime detection"; flow:to_server,established; content:"/lordofsearchD_468X60.html"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"aresflashdownloader.com"; nocase; http_header; pcre:"/^Host|3A|[^\r\n]*aresflashdownloader\x2Ecom/smiH"; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.download2you.com/details_page.asp?titleID=12388; classtype:misc-activity; sid:7142; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler clipgenie runtime detection"; flow:to_server,established; content:"/cgi-bin/omnidirect.cgi"; fast_pattern; nocase; http_uri; content:"SID="; nocase; http_uri; content:"PID="; nocase; http_uri; content:"LID="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"PARMR="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=474; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073486; classtype:misc-activity; sid:5829; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker clearsearch variant runtime detection - ie hijacking"; flow:to_server,established; content:"/ie/?"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"addr="; nocase; http_uri; content:"User-Agent|3A| IEXPLORE.EXE"; fast_pattern; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.2-spyware.com/remove-clearsearch.html; reference:url,www.doxdesk.com/parasite/ClearSearch.html; classtype:misc-activity; sid:7534; rev:6;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler farmmext runtime detection - drk.syn request"; flow:to_server,established; content:"/a/Drk.syn?"; fast_pattern; nocase; http_uri; content:"bho="; nocase; http_uri; content:"DistID="; nocase; http_uri; content:"MM_RECO.EXE"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 1200; metadata:policy security-ips alert; reference:url,www.spyany.com/files/farmmext_exe.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090784; classtype:misc-activity; sid:6203; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler pcast runtime detection - update checking"; flow:to_server,established; content:"User-Agent|3A| Pcast Live"; fast_pattern; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098354; classtype:misc-activity; sid:7582; rev:5;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler minibug runtime detection - ads"; flow:to_server,established; content:"/RealMedia/ads/adstream_sx.cgi/www.wbug.com/"; fast_pattern; nocase; http_uri; content:"A1="; nocase; http_uri; content:"A2="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.weatherbug.html; reference:url,www.spywareguide.com/product_show.php?id=2178; classtype:misc-activity; sid:5842; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker linkspider search bar runtime detection - toolbar search"; flow:to_server,established; content:"/cgi-bin/cgsearch/cgsearch.cgi?"; fast_pattern; nocase; http_uri; content:"vid="; nocase; http_uri; content:"category="; nocase; http_uri; content:"lout="; nocase; http_uri; content:"sel="; nocase; http_uri; content:"refer="; nocase; http_uri; content:"query="; nocase; http_uri; content:"match="; nocase; http_uri; content:"where="; nocase; http_uri; content:"sd="; nocase; http_uri; content:"pp="; nocase; http_uri; content:"to="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,linkspider.co.uk; classtype:misc-activity; sid:757 [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware winsysba-a runtime detection - track surfing activity"; flow:to_server,established; content:"/url_sp2.asp"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*vb\s+wininet/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,secunia.com/virus_information/26844/winsysba-a/; classtype:successful-recon-limited; sid:7856; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware uplink runtime detection"; flow:to_server,established; content:"/Response2.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"myadid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"uplink.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*uplink\x2Eco\x2Ekr/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031317-1701-99&tabid=1; classtype:successful-recon-limited; sid:11312; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware weirdontheweb runtime detection - monitor user web activity"; flow:to_server,established; content:"/request/req.cgi?"; fast_pattern; nocase; http_uri; content:"gu=TN-internal"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"lid="; nocase; http_uri; content:"sp="; nocase; http_uri; content:"v="; nocase; http_uri; content:"sn="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"AID="; nocase; http_uri; content:"FT="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094260; classtype:misc-activity; sid:5946; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware squaretrade side bar runtime detection - collect user information"; flow:to_server,established; content:"/content/logUserAction.do"; fast_pattern; nocase; http_uri; content:"uuid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"stsb_SitelistVersion="; nocase; http_uri; content:"stsb_Os="; nocase; http_uri; content:"stsb_Browser"; nocase; http_uri; content:"stsb_Version"; nocase; http_uri; content:"stsb_Download"; nocase; http_uri; content:"stsb_InstallVersion"; nocase; http_uri; content:"usageEnabled"; nocase; http_uri; content:"phishingEnabled"; nocase; http_uri; content:"shoppingEnabled"; nocase; http_uri; content:"User-Agent|3A| SQTR_VERIFY"; nocase; http_header; threshold:typ [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware searchnugget toolbar runtime detection - check updates"; flow:to_server,established; content:"/toolbar/sbartb0300.cfg"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"acez"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*acez/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.symantec.com/avcenter/venc/data/adware.searchnugget.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094349; classtype:misc-activity; sid:6487; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker seeqtoolbar runtime detection - email login page"; flow:to_server,established; content:"/lander.jsp"; nocase; http_uri; content:"referrer="; nocase; http_uri; content:"domain=seeqmail.com"; fast_pattern; nocase; http_uri; content:"cm_mmc="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1026; classtype:misc-activity; sid:5982; rev:8;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker locatorstoolbar runtime detection - autosearch hijack"; flow:to_server,established; content:"/download/toolbar/dnserror.php?"; fast_pattern; nocase; http_uri; content:"type=dns"; nocase; http_uri; content:"id="; nocase; http_uri; content:"url="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=1821; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076978; classtype:misc-activity; sid:5915; rev:7;) [8359] 3/2/2011 -- 14:39:07 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware henbang runtime detection"; flow:to_server,established; content:"/hap/adserver.aspx"; fast_pattern; nocase; http_uri; content:"version="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"distributorid="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"AD"; nocase; http_header; content:"Request"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"wwws.henbang.net"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*AD[^\r\n]*Request/smiH"; pcre:"/^Host\x3a[^\r\n]*wwws\x2Ehenbang\x2Enet/smiH"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?i [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware iggsey toolbar detection - search request"; flow:to_server,established; content:"/search.php?keywords="; fast_pattern; nocase; http_uri; content:"Host|3A| www.iggsey.com"; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2463; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094796; classtype:successful-recon-limited; sid:5951; rev:8;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware whenu runtime detection - search request 1"; flow:to_server,established; content:"/SearchBar?"; fast_pattern; nocase; http_uri; content:"templ="; nocase; http_uri; content:"num="; nocase; http_uri; content:"app=desktop"; nocase; http_uri; content:"uiv="; nocase; http_uri; content:"kw="; nocase; http_uri; content:"ctr="; nocase; http_uri; content:"cc="; nocase; http_uri; content:"rgn="; nocase; http_uri; content:"sgp="; nocase; http_uri; content:"stp="; nocase; http_uri; content:"cnt="; nocase; http_uri; content:"sid="; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 600; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=18; reference:u [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware newweb runtime detection"; flow:to_server,established; content:"/cliententry/"; fast_pattern; nocase; http_uri; content:"X-TITLE|3A|"; nocase; http_header; content:"X-KEYWORD|3A|"; nocase; http_header; content:"X-ADLIST|3A|"; nocase; http_header; content:"X-COMMAND|3A|"; nocase; http_header; content:"X-CLIENTID|3A|"; nocase; http_header; content:"X-TARGETURL|3A|"; nocase; http_header; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097957; classtype:misc-activity; sid:10182; rev:8;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware bonzibuddy runtime detection"; flow:to_server,established; content:"/bonzibuddy/"; fast_pattern; nocase; http_uri; content:".nbd"; nocase; http_uri; pcre:"/\x2Fbonzibuddy\x2F(updates|products|daily)\x2Enbd/Ui"; threshold:type both, track by_src, count 1, seconds 1800; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=512; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype:misc-activity; sid:6219; rev:7;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware lordofsearch runtime detection"; flow:to_server,established; content:"/home/lordofsearch"; fast_pattern; nocase; http_uri; pcre:"/\x5Chome\/lordofsearch[^\r\n]*\x2Ehtml/smi"; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_list_category.php?category_id=12; classtype:misc-activity; sid:7569; rev:8;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware active shopper runtime detection - collect information"; flow:to_server,established; content:"/HG?"; nocase; http_uri; content:"hc="; nocase; http_uri; content:"vcon=ActiveShopper"; fast_pattern; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=2410; classtype:misc-activity; sid:5926; rev:7;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Martuz HTTP GET request attempt"; flow:to_server,established; content:"/martuz.cn"; fast_pattern; nocase; http_uri; pcre:"/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15567; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Gumblar HTTP GET request attempt"; flow:to_server,established; content:"/gumblar.cn"; fast_pattern; nocase; http_uri; pcre:"/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/current/archive/2009/06/01/archive.html; classtype:trojan-activity; sid:15566; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware winreanimator runtime detection - daily update"; flow:to_server,established; content:"/WinReanimator/daily.cvd"; fast_pattern; nocase; http_uri; reference:url,www.411-spyware.com/effacer-winreanimator; reference:url,www.windowsvistaplace.com/winreanimator-removal-instructions-winreanimator/spyware-removal; classtype:misc-activity; sid:16119; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker xp antispyware 2009 runtime detection - pre-sale webpage"; flow:to_server,established; content:"/buy.html?"; nocase; http_uri; content:"wmid="; nocase; http_uri; content:"skey="; nocase; http_uri; content:"Host|3A| www.xpas2009.com"; fast_pattern; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=XPAntiSpyware%202009&threatid=429593; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141780; classtype:misc-activity; sid:16136; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trackware 6sq toolbar runtime detection"; flow:to_server,established; content:"/data.aspx?"; nocase; http_uri; content:"pn=sixsigmaToolbar"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Asynchronous"; nocase; http_header; content:"WinInet"; nocase; http_header; content:"CLASS"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Asynchronous\s+WinInet\s+CLASS/smiH"; reference:url,ca.com/fi/securityadvisor/pest/pest.aspx?id=453130697; reference:url,www.spycheck.es/genera.php?processfile=6sqtoolbar.dll&dir=otros&pag=165; classtype:successful-recon-limited; sid:16120; rev:6;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hacker-Tool 0desa msn pass stealer 8.5 runtime detection"; flow:to_server,established; content:"sendmail.php?"; nocase; http_uri; content:"mail="; nocase; http_uri; content:"subject="; nocase; http_uri; content:"Odesa mpsteal form"; fast_pattern; nocase; http_uri; classtype:misc-activity; sid:16138; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trickler virusremover 2008 runtime detection"; flow:to_server,established; content:"/2009/order/index.html?"; fast_pattern; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"abbr=3P_UVRM"; nocase; http_uri; content:"nid=3P_UVRM"; nocase; http_uri; reference:url,ca.com/fr/securityadvisor/pest/pest.aspx?id=453137574; reference:url,www.spywareremove.com/removeVirusRemover2008.html; classtype:misc-activity; sid:16126; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cramtoolbar runtime detection - hijack"; flow:to_server,established; content:"/style/style1_21.css"; fast_pattern; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.fuck-portal.com"; nocase; http_header; pcre:"/^Referer\x3a[^\r\n]*www\x2efuck\x2dportal\x2ecom/smiH"; reference:url,www.spywareguide.com/product_show.php?id=2474; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1; classtype:misc-activity; sid:16114; rev:6;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Hijacker cramtoolbar runtime detection - search"; flow:to_server,established; content:"/n4.g?"; nocase; http_uri; content:"login=craxam"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"pv="; nocase; http_uri; content:"jv="; nocase; http_uri; content:"j="; nocase; http_uri; content:"srw="; nocase; http_uri; content:"srb="; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=2474; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-091817-2335-99&tabid=1; classtype:misc-activity; sid:16115; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT downloader trojan.nsis.agent.s runtime detection"; flow:to_server,established; content:"/keyword/urlRedirect.cfm?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"a=SEARCHFST"; nocase; http_uri; content:"k="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.metadirect.net"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2emetadirect\x2enet/smiH"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.NSIS.Agent.s&threatid=51530; reference:url,www.pctools.com/mrc/infections/id/Adware.Metadirect_hijacker/; classtype:misc-activity; sid:16124; rev:6;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Tear Application downloader attempt to contact server"; flow:to_server,established; content:"|0A|User-Agent|3A| Tear Application"; fast_pattern; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:4;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Trojan hacktool attempt to contact server"; flow:to_server,established; content:"/update"; nocase; http_uri; content:"Mozilla/4.75"; fast_pattern; nocase; http_header; pcre:"/\x2Fupdate\w\x2Ephp\x3Fp\x3D\d+.*User\x2DAgent\x3A\s+Mozilla\x2F4\x2E75\s\x5Ben\x5D\s\x28X11\x3B\sU\x3B\sLinux\s2\x2E2\x2E16\x2D3\si686\x29/smiH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=f602982724b3562b80f435f0d87c6a5f; classtype:trojan-activity; sid:16496; rev:7;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT PC Antispyware 2010 FakeAV download/update attempt"; flow:to_server,established; content:"/files"; nocase; http_uri; content:"|29|.|28|t|29|"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=37fa737aab25dd0d90cd0821538fae15; classtype:trojan-activity; sid:16498; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Malware contact to server attempt"; flow:to_server,established; content:"malware"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/analisis/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c-1270750352; classtype:trojan-activity; sid:16551; rev:5;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Spyeye bot contact to C&C server attempt"; flow:to_server,established; content:"|2E|php|3F|guid|3D|"; nocase; http_uri; content:"ccrc|3D|"; fast_pattern; nocase; http_uri; content:"ver|3D|"; nocase; http_uri; content:"stat|3D|"; nocase; http_uri; content:"cpu|3D|"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=84714c100d2dfc88629531f6456b8276; classtype:trojan-activity; sid:16669; rev:1;) [8359] 3/2/2011 -- 14:39:08 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Rogue AV download/update atttempt"; flow:to_server,established; content:"|2F 3F|b|3D|1s1"; fast_pattern; nocase; http_uri; content:"Mozilla"; nocase; http_header; pcre:"/^User\x2DAgent\x3A\s*Mozilla\x0d?$/smiH"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/analisis/2063df10f553afa6b1257e576fbf88cf98093ec1ae15c079e947994a96fbfadd-1274312088; classtype:trojan-activity; sid:16695; rev:1;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-maillist access"; flow:to_server,established; content:"/nph-maillist.pl"; fast_pattern; nocase; http_uri; metadata:service http; reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:13;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI db4web_c directory traversal attempt"; flow:to_server,established; content:"/db4web_c"; fast_pattern; nocase; http_uri; pcre:"/db4web_c(\.exe)?\/.*(\.\.[\\|\/]|[a-z]\:)/smiU"; metadata:service http; reference:bugtraq,5723; reference:cve,2002-1483; reference:nessus,11182; classtype:web-application-attack; sid:3674; rev:6;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Nucleus CMS action.php itemid SQL injection"; flow:to_server,established; content:"action.php"; fast_pattern; nocase; http_uri; content:"itemid="; nocase; pcre:"/itemid=\d*[^\d\&\;\r\n]/i"; metadata:service http; reference:bugtraq,10798; reference:cve,2004-2056; reference:nessus,14194; classtype:web-application-activity; sid:3690; rev:7;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI awstats.pl configdir command execution attempt"; flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"configdir="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*configdir=\x7C/Ui"; metadata:service http; reference:bugtraq,12298; reference:cve,2005-0116; reference:nessus,16189; classtype:attempted-user; sid:3813; rev:7;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI 4DWebstar ShellExample.cgi information disclosure"; flow:to_server,established; content:"/ShellExample.cgi"; fast_pattern; nocase; http_uri; pcre:"/ShellExample.cgi\?[^\n\r\&]*\x2a/Ui"; metadata:service http; reference:bugtraq,10721; reference:url,www.atstake.com/research/advisories/2004/a071304-1.txt; classtype:attempted-recon; sid:4128; rev:7;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 7777 (msg:"WEB-CGI WhatsUpGold instancename overflow attempt"; flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern; nocase; http_uri; pcre:"/instancename=[^&\x3b\r\n]{513}/smi"; metadata:service http; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:12056; rev:6;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-header.c:209) (DetectHttpHeaderSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_header cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RTF file download"; flow:established,to_client; content:"Content-Type|3A|"; nocase; http_header; content:"text/rtf"; fast_pattern; nocase; http_header; flowbits:set,http.rtf; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:protocol-command-decode; sid:13801; rev:6;) [8359] 3/2/2011 -- 14:39:09 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-CLIENT Palo Alto Networks Firewall editUser.esp XSS attempt"; flow:established, to_server; content:"/esp/editUser.esp"; fast_pattern; nocase; http_uri; content:"role="; nocase; http_uri; pcre:"/[\x3f\x26]role=[^\x26]*?[^\x26a-z0-9\x5b\x5d\x2d]/Usmi"; metadata:policy security-ips drop, service http; reference:cve,2010-0475; reference:url,osvdb.org/show/osvdb/64717; classtype:web-application-attack; sid:16689; rev:1;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:1661; rev:11;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:1002; rev:14;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS multiple extension code execution attempt"; flow:established,to_server; content:".asp|3B|."; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2009-4444; classtype:web-application-attack; sid:16356; rev:7;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS web agent chunked encoding overflow attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/WebID/IISWebAgentIF.dll"; fast_pattern; nocase; http_uri; content:"Transfer-Encoding|3A| chunked"; nocase; http_header; content:"|0D 0A 0D 0A|"; byte_test:4,>,16,0,relative,string,hex; metadata:service http; reference:bugtraq,13524; reference:cve,2005-1471; classtype:web-application-attack; sid:17705; rev:1;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-method.c:182) (DetectHttpMethodSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_method cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System Web Server 7.0 WebDAV format string exploit attempt - LOCK method"; flow:to_server,established; content:"LOCK"; fast_pattern; nocase; http_method; content:"encoding"; pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user; sid:16427; rev:1;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HP OpenView CGI parameter buffer overflow attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2F|OvCgi|2F|"; fast_pattern; http_uri; content:"Content|2D|Length|3A|"; byte_test:4,>,500,1,relative,hex,string; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-1552; reference:cve,2010-1553; reference:cve,2010-1554; reference:cve,2010-1555; classtype:attempted-user; sid:16674; rev:1;) [8359] 3/2/2011 -- 14:39:10 - (detect-http-uri.c:115) (DetectHttpUriSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_uri cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature ==> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Tandberg VCS local file disclosure attempt"; flow:to_server,established; content:"helppage.php"; fast_pattern; nocase; http_uri; content:"page="; nocase; http_uri; content:".."; http_uri; metadata:policy security-ips drop, service http; reference:cve,2009-4511; reference:url,secunia.com/advisories/39275/; classtype:web-application-attack; sid:16678; rev:1;) [8359] 3/2/2011 -- 14:39:10 - (detect.c:386) (SigLoadSignatures) -- 52 rule files processed. 3734 rules succesfully loaded, 314 rules failed [8359] 3/2/2011 -- 14:39:10 - (detect-engine-sigorder.c:827) (SCSigOrderSignatures) -- ordering signatures in memory SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 3742 [8359] 3/2/2011 -- 14:39:13 - (detect-engine-sigorder.c:868) (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 3742 [8359] 3/2/2011 -- 14:39:13 - (detect.c:1433) (SigAddressPrepareStage1) -- 3742 signatures processed. 0 are IP-only rules, 3215 are inspecting packet payload, 717 inspect application layer [8359] 3/2/2011 -- 14:39:13 - (detect.c:1435) (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done [8359] 3/2/2011 -- 14:39:13 - (detect.c:1920) (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address lists... [8359] 3/2/2011 -- 14:39:13 - (detect.c:1989) (SigAddressPrepareStage2) -- 3742 total signatures: [8359] 3/2/2011 -- 14:39:13 - (detect.c:2010) (SigAddressPrepareStage2) -- TCP Source address blocks: any: 2, ipv4: 2, ipv6: 2. [8359] 3/2/2011 -- 14:39:13 - (detect.c:2030) (SigAddressPrepareStage2) -- UDP Source address blocks: any: 2, ipv4: 2, ipv6: 2. [8359] 3/2/2011 -- 14:39:13 - (detect.c:2050) (SigAddressPrepareStage2) -- ICMP Source address blocks: any: 2, ipv4: 2, ipv6: 2. [8359] 3/2/2011 -- 14:39:13 - (detect.c:2054) (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... done [8359] 3/2/2011 -- 14:39:13 - (detect.c:2612) (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... [8359] 3/2/2011 -- 14:39:15 - (detect.c:2695) (SigAddressPrepareStage3) -- MPM memory 37626798 (dynamic 37614366, ctxs 12432, avg per ctx 85487) [8359] 3/2/2011 -- 14:39:15 - (detect.c:2697) (SigAddressPrepareStage3) -- max sig id 3742, array size 468 [8359] 3/2/2011 -- 14:39:15 - (detect.c:2698) (SigAddressPrepareStage3) -- signature group heads: unique 620, copies 2424. [8359] 3/2/2011 -- 14:39:15 - (detect.c:2700) (SigAddressPrepareStage3) -- MPM instances: 440 unique, copies 184 (none 0). [8359] 3/2/2011 -- 14:39:15 - (detect.c:2702) (SigAddressPrepareStage3) -- MPM (URI) instances: 4 unique, copies 616 (none 0). [8359] 3/2/2011 -- 14:39:15 - (detect.c:2703) (SigAddressPrepareStage3) -- MPM max patcnt 1381, avg 426 [8359] 3/2/2011 -- 14:39:15 - (detect.c:2705) (SigAddressPrepareStage3) -- MPM (URI) max patcnt 646, avg 996 (3986/4) [8359] 3/2/2011 -- 14:39:15 - (detect.c:2706) (SigAddressPrepareStage3) -- port maxgroups: 39, avg 17, tot 946 [8359] 3/2/2011 -- 14:39:15 - (detect.c:2707) (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... done [8359] 3/2/2011 -- 14:39:15 - (util-threshold-config.c:136) (SCThresholdConfInitContext) -- Global thresholding options defined [8359] 3/2/2011 -- 14:39:15 - (alert-fastlog.c:331) (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log [8359] 3/2/2011 -- 14:39:15 - (alert-unified2-alert.c:673) (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB [8359] 3/2/2011 -- 14:39:15 - (runmodes.c:97) (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring [8359] 3/2/2011 -- 14:39:15 - (stream-tcp.c:364) (StreamTcpInitConfig) -- stream "max_sessions": 262144 [8359] 3/2/2011 -- 14:39:15 - (stream-tcp.c:376) (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768 [8359] 3/2/2011 -- 14:39:15 - (stream-tcp.c:385) (StreamTcpInitConfig) -- stream "memcap": 67108864 [8359] 3/2/2011 -- 14:39:15 - (stream-tcp.c:392) (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled [8359] 3/2/2011 -- 14:39:15 - (stream-tcp.c:400) (StreamTcpInitConfig) -- stream "async_oneside": disabled [8398] 3/2/2011 -- 14:39:15 - (source-pcap.c:267) (ReceivePcapThreadInit) -- using interface eth0 [8359] 3/2/2011 -- 14:39:15 - (tm-threads.c:1429) (TmThreadWaitOnThreadInit) -- all 6 packet processing threads, 3 management threads initialized, engine started. [8359] 3/2/2011 -- 14:40:45 - (suricata.c:1108) (main) -- signal received [8359] 3/2/2011 -- 14:40:45 - (suricata.c:1111) (main) -- EngineStop received [8398] 3/2/2011 -- 14:40:45 - (source-pcap.c:429) (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 897, bytes 69580 [8398] 3/2/2011 -- 14:40:45 - (source-pcap.c:437) (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:897 Recv:897 Drop:0 (0.0%). [8359] 3/2/2011 -- 14:40:45 - (suricata.c:1131) (main) -- all packets processed by threads, stopping engine [8359] 3/2/2011 -- 14:40:45 - (suricata.c:1138) (main) -- time elapsed 90s [8400] 3/2/2011 -- 14:40:45 - (stream-tcp.c:2679) (StreamTcpExitPrintStats) -- (Stream1) Packets 0 [8401] 3/2/2011 -- 14:40:45 - (detect.c:176) (DetectExitPrintStats) -- (Detect1) (1byte) Pkts 896, Searched 0 (0.0). [8401] 3/2/2011 -- 14:40:45 - (detect.c:179) (DetectExitPrintStats) -- (Detect1) (2byte) Pkts 896, Searched 35 (3.9). [8401] 3/2/2011 -- 14:40:45 - (detect.c:182) (DetectExitPrintStats) -- (Detect1) (3byte) Pkts 896, Searched 0 (0.0). [8401] 3/2/2011 -- 14:40:45 - (detect.c:185) (DetectExitPrintStats) -- (Detect1) (4byte) Pkts 896, Searched 67 (7.5). [8401] 3/2/2011 -- 14:40:45 - (detect.c:188) (DetectExitPrintStats) -- (Detect1) (+byte) Pkts 896, Searched 36 (4.0). [8401] 3/2/2011 -- 14:40:45 - (detect.c:192) (DetectExitPrintStats) -- (Detect1) URI (1byte) Uri's 0, Searched 0 (-nan). [8401] 3/2/2011 -- 14:40:45 - (detect.c:195) (DetectExitPrintStats) -- (Detect1) URI (2byte) Uri's 0, Searched 0 (-nan). [8401] 3/2/2011 -- 14:40:45 - (detect.c:198) (DetectExitPrintStats) -- (Detect1) URI (3byte) Uri's 0, Searched 0 (-nan). [8401] 3/2/2011 -- 14:40:45 - (detect.c:201) (DetectExitPrintStats) -- (Detect1) URI (4byte) Uri's 0, Searched 0 (-nan). [8401] 3/2/2011 -- 14:40:45 - (detect.c:204) (DetectExitPrintStats) -- (Detect1) URI (+byte) Uri's 0, Searched 0 (-nan). [8403] 3/2/2011 -- 14:40:45 - (alert-fastlog.c:301) (AlertFastLogExitPrintStats) -- (Outputs) Alerts 0 [8403] 3/2/2011 -- 14:40:45 - (alert-unified2-alert.c:603) (Unified2AlertThreadDeinit) -- Alert unified2 module wrote 0 alerts [8403] 3/2/2011 -- 14:40:45 - (log-httplog.c:396) (LogHttpLogExitPrintStats) -- (Outputs) HTTP requests 0 [8404] 3/2/2011 -- 14:40:45 - (flow.c:1107) (FlowManagerThread) -- 31 new flows, 0 established flows were timed out, 0 flows in closed state [8359] 3/2/2011 -- 14:40:45 - (stream-tcp.c:448) (StreamTcpFreeConfig) -- Max memuse of stream engine 15021952 (in use 0) [8359] 3/2/2011 -- 14:40:45 - (detect.c:2719) (SigAddressCleanupStage1) -- cleaning up signature grouping structure... [8359] 3/2/2011 -- 14:40:46 - (detect.c:2734) (SigAddressCleanupStage1) -- cleaning up signature grouping structure... done