EmergingThreats> Main Web>RuleChanges (revision 4)EditAttach

Last 50 Rule Changes

Results from Main web retrieved at 13:10 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 XTC 0d ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT29 Implant8 MAL REFERER`; flow:established,to server; content:`GET`; http method; content:` bvm ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Malicious VBE Script (COVID 19 Phish 04 03 2020)`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Inbound (CVE 2020 8515) M1`; flow:established,to server ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Inbound (CVE 2020 8515) M2`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 XTC BOTNET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer CnC Activity`; flow:established,to server; content:`POST`; http method; content:`l dj0 ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 XTC BOTNET 0d ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 XTC 0d 0a `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer Init Activity`; flow:established,to server; content:`POST`; http method; content:`guid ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Dridex Download URI Struct with no referer`; flow:established,to server; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Outbound (CVE 2020 8515) M2`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE EQO Variant CnC Activity`; flow:established,to server; content:`POST`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Multiple DrayTek Products Pre authentication Remote RCE Outbound (CVE 2020 8515) M1`; flow:established ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (getos)`; flow:established,to client; dsize:9; content:`Z2V0b3M 0a `; metadata ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (upload command)`; flow:established,to client; dsize:9; content:`dXBsb2Fk ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (keylogger start)`; flow:established,to client; dsize:21; content:`a2V5bG9nZ2VyX3N0YXJ0 ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (openurl)`; flow:established,to client; dsize:13; content:`b3BlbnVybA 0a ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (download command)`; flow:established,to client; dsize:13; content:`ZG93bmxvYWQ ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (persistence enable)`; flow:established,to client; dsize:25; content:`cGVyc2lzdGVuY2VfZW5hYmxl ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Suspected CHAOS CnC Inbound (screenshot command)`; flow:established,to client; dsize:17; content:`c2NyZWVuc2hvdA ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 Hello/`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious GET Request with Possible COVID 19 URI M2`; content:`GET`; http method; content:`corona`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious GET Request with Possible COVID 19 URI M1`; content:`GET`; http method; content:`covid`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious POST Request with Possible COVID 19 URI M2`; content:`POST`; http method; content:`corona`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious POST Request with Possible COVID 19 URI M1`; content:`POST`; http method; content:`covid`; nocase ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspected Stitch Variant Backdoor CnC`; flow:established,to server; content:` 00 00 00 0f stitch626hctits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 Hello ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Canada Revenue Agency COVID 19 Assistance Eligability Phishing Landing 2020 04 01`; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Canada Revenue Agency COVID 19 Assistance Eligability Phishing Landing 2020 04 01`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Canada Revenue Agency COVID 19 Assistance Eligability Phish 2020 04 01`; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN Linux/Agent.HX CnC Activity M1`; flow:established,to server; flowbits:isset,ET.LinuxAgent.HX; flowbits ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN Linux/Agent.HX CnC Activity (set)`; flow:established,to server; flowbits:set,ET.LinuxAgent.HX; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Canada Revenue Agency COVID 19 Assistance Eligability (FR) Phish 2020 04 01`; flow ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET GAMES Growtopia Hack WrongGrow CnC Activity`; flow:established,to client; content:`200`; http stat code; file ...
alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN Linux/Agent.HX CnC Activity M2`; flow:established,to client; flowbits:isset,ET.LinuxAgent.HX; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 NoIr x.86 ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M2`; flow:to server,established; content:`coronavirus ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Willowcoin Cryptocurrency UA Observed`; flow:established,to server; content:`User Agent 3a 20 WillowCoin ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Tofsee Unique Email Body Byte Sequence Observed`; flow:to server,established; content:` 0d 0a 0d ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M5`; flow:to server,established; content:`covid 19 ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M4`; flow:to server,established; content:`corona ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Buer Loader Update Request`; flow:established,to server; urilen: 200; content:`GET`; http method; content ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Tofsee Malformed Spam Template String`; flow:to server,established; content:`receive 20 further ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M3`; flow:to server,established; content:`covid19 ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 NoIr x.86/`; http ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Stitch C2 Domain`; content:`system0 update04driver roots.dynamic dns.net`; nocase; depth:44 ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Tofsee Covid19 Spam Template 1 Active Outbound Email Spam`; flow:to server,established; content ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Covid19 Themed Email Spam Outbound M6`; flow:to server,established; content:`sars cov ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Stitch C2 Domain`; dns query; content:`sys andriod20 designer.dynamic dns.net`; nocase; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Shadowcoin Cryptocurrency UA Observed`; flow:established,to server; content:`User Agent 3a 20 ShadowCoin ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Telerik UI CVE 2019 18935 File Upload Attempt M2`; content:`GET`; http method; content:`/Telerik ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful COVID 19 Related Phish M1`; flowbits:isset,ET.genericphish; content:`POST ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Telerik UI CVE 2019 18935 File Upload Attempt M1`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 DVRBOT ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful COVID 19 Related Phish M2`; flowbits:isset,ET.genericphish; content:`POST ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 DVRBOT`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 iamdelta ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 iamdelta`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android Lightspy Implant CnC`; flow:established,to server; content:` 0d 0a 0d 0a udid `; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (Http connect)`; flow:established,to server; content:`Http connect`; http ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Glupteba CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`myinfoart.xyz ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (xPCAP)`; flow:established,to server; content:`xPCAP`; http user agent; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (KtulhuBrowser)`; flow:established,to server; content:`KtulhuBrowser`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (explorersvc)`; flow:established,to server; content:`explorersvc`; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Magnitude EK)`; flow:established,to server; urilen: 235; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Meterpreter)`; flow:established,to server; urilen:175; content:`/ucD`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Downloaded via ge.tt Filesharing Service`; content:`GET`; http method; content:`/gett/`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (OneDrive)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Havex APT)`; flow:established,to server; content:` `; http cookie; offset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Uploaded to ge.tt Filesharing Service`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Adobe RTMP)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MegalodonHTTP/LuciferHTTP Client Action`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Airbnb COVID 19 Phish 2020 03 26`; flow:established,to client; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Colleagues Quarantined with COVID 19 Phish 2020 03 25`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Airbnb COVID 19 Phish 2020 03 25`; flow:established,to server; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Milum CnC`; flow:established,to server; content:` 0d 0a 0d 0a md `; fast pattern; content:`POST ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781) M2`; flow ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/n2019cov (COVID 19) Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed MSIL/n2019cov (COVID 19) Ransomware CnC Domain in TLS SNI`; flow:established,to server; tls sni ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Microsoft Tech Support Scam 2020 03 24`; flow:established,to client; file data; content:`Microsoft ...
alert http any any $HOME NET any (msg:`ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Common Unhidebody Function Observed in Phishing Landing`; flow:established,to client; file data ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful World Health Organization COVID 19 Phish 2020 03 23`; flow:established,to server; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)`; flow:established,to client; tls cert subject; content ...
alert tcp $HOME NET any $EXTERNAL NET 8000:9000 (msg:`ET TROJAN Win32/RaaLoader CnC Activity`; flow:established,to server; dsize:12; content:` 12 10 00 00 00 00 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`change password.ml`; nocase; isdataat:1,relative ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT Initial Checkin`; flow:established,to server; content:` 41 57 2f 44 44 48 63 6b 2f `; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a54cf56.tk`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id451295.com`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful NHS Webmail Phish 2020 03 23`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sekhmet Ransomware CnC Activity`; flow:established,to server; content:`Mozilla/4.0 (compatible 3b MSIE ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT Screenshot Exfil`; flow:established,to server; content:` 40 2f 44 44 48 63 6b 2f 2e `; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a5.tk`; nocase; isdataat:1,relative; metadata ...
alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN CoreDDRAT CnC Activity`; flow:established,to client; dsize:18; content:` 69 6e 66 6f 2f 44 44 48 63 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id24556.tk`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`546874.tk`; nocase; isdataat:1,relative; metadata ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN CoreDDRAT KeepAlive Message`; flow:established,to server; content:` 74 69 6d 65 2f 44 44 48 63 6b 2f ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS UK GOV Identity Verification Phishing Landing`; flow:established,to client; file data; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id6589.com`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`yahoo change password.com`; nocase; isdataat:1 ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)`; flow:established,to server; tls sni; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0x4fc271.tk`; nocase; isdataat:1,relative; metadata ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful EDU Phish 2017 12 04`; flow:established,to client; flowbits:isset,ET.eduphish; content ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (info)`; flow:established,from server; dsize: Added 2020 03 24 02:58 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 APEP`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Spelevo VBS Payload Downloaded`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ConstructorWin32/Agent.V`; flow:to server,established; content:` 0d 0a Pragma 3a 20 no catch 0d 0a ` ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (plugin)`; flow:established,from server; content:`plugin 7c 7c `; depth ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (aw)`; flow:established,from server; dsize: Added 2020 03 24 02:58 ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 APEP`; http header ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Patchwork.Backdoor CnC Check in M2`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HAWKBALL CnC Activity`; flow:established,to server; content:`GET`; http method; content:`/?e `; depth ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Checkin (DesktopPreview)`; flow:established,to server; content:`DesktopPreview 7c 7c ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HAWKBALL CnC Initial Request`; flow:established,to server; content:`GET`; http method; content:`/?t ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Patchwork.Backdoor Communicating with CnC`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Fake World Health Organization COVID 19 Portal 2020 03 20`; flow:established,to client; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2019 08 02`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Microsoft Account Phish 2020 03 04`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 21`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 21`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Lookup (api .ipstack .com)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 21`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 25`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Microsoft Office Phish 2020 02 26`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2019 06 04`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2019 11 04`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 21`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 04 12`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Mailbox Phish 2019 03 07`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 08 29`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 21`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Personalized Phish 2019 03 11`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 08 29`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Interac Phish 2019 05 15`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 04 26`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Microsoft Account Phish 2019 11 06`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful DHL Phish 2019 10 18`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Apple Phish 2019 12 18`; flow:established,to server; content:`POST`; http method; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Generic Personalized Phish 2019 02 13`; flow:from server,established; content:`302 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 02 21`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2020 01 10`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2020 01 27`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Microsoft Account Phish 2019 01 29`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Mailbox Update Phish 2016 02 17`; flow:to server,established; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful DHL Phish (Meta HTTP Equiv Refresh) 2017 02 08`; flow:from server,established; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful DHL Account Phish 2015 11 03`; flow:to server,established; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic 000webhostapp.com Phish 2017 10 27`; flow:to server,established; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Mobile Phish 2017 08 15`; flow:to server,established; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful DHL Phish 2015 09 14`; flow:established,to client; file data; content:`DHL 20 7c 20 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Generic Phish (302) 2016 12 16`; flow:from server,established; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish Aug 31 2015`; flow:to server,established; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Microsoft Office Phishing Landing 2016 12 18`; flow:to client,established; content:`200`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2018 01 26`; flow:established,to server; flowbits:isset,ET.genericphish ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Generic Phish Fake Loading Page 2017 08 03`; flow:from server,established; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Personalized Phish 2018 09 27 M2`; flow:established,to server; flowbits:isset ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Generic .EDU Phish Aug 17 2017`; flow:from server,established; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful OX App Suite Phish 2017 10 12`; flow:to server,established; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful Fedex/DHL Phish 2018 10 22`; flow:established,from server; flowbits:isset,ET.Fedex ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Get2 CnC)`; flow:established,to client; tls cert subject; content:`CN static ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Terse POST to Wordpress Folder Probable Successful Phishing M2`; flow:to server,established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SEB Reporting Network Info`; flow:established,to server; content:`POST`; http method; content:`.php` ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Get2 CnC)`; flow:established,to client; tls cert subject; content:`CN dysoool ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Adwind/jSocket SSL Cert (assylias.Inc)`; flow:established,from server; content:` 0b `; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Get2 CnC)`; flow:established,to client; tls cert subject; content:`CN clietns ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SEB Checkin`; flow:established,to server; content:`POST`; http method; content:`.php?logins `; http uri ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Get2 CnC)`; flow:established,to client; tls cert subject; content:`CN get ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SEB Keep Alive`; flow:established,to server; content:`POST`; http method; content:`.php?logins `; http ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Polaris Botnet User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 polaris 0d 0a `; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE PTsecurity MZRevenge Ransomware Server Response`; flow: established,to client; http content type; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MZRevenge Ransomware CnC`; flow:established,to server; content:`POST`; http method; content:`.php`; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspected Malicious Telegram Communication (POST)`; flow:established,to server; content:` 0d 0a Accept ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Polaris Botnet User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 polaris ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/SandCat CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`.php`; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Win32/SandCat CnC)`; flow:established,to client; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Unk.Joia CnC Activity`; flow:established,to server; content:`.php 20 HTTP/1.0 0d 0a Host 3a 20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Higaisa CnC Activity`; flow:established,to server; content:`GET`; http method; content:`.php`; http uri ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)`; flow:established,to client; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET POLICY DNS Query to DynDNS .dyn ip24 .de Domain`; dns query; content:`.dyn ip24.de`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE MultiInstaller`; flow:established, to server; content:`GET`; http method; content:`?s1 `; http uri; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN TeamBot CnC Activity`; flow:established,to server; content:`GET`; http method; content:`?gate hwid ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Possible ethereum traffic`; flow:established,to server; content:`POST`; depth:4; content:` 22 id 22 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SPEAR CnC Beacon 2`; flow:to server,established; content:`GET`; http method; content:`?wd `; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN U3D7V0 Checkin`; flow:established, to server; content: `GET`; http method; content:`/getc`; http uri ...
alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN HTTPTool User Agent`; flow:established,to server; content:`User Agent 3a 20 HTTPTool/`; http ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX OceanLotus Checkin`; flow:established,to server; content:` 41 61 54 03 `; offset:1; depth:4; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SA Banker Checkin`; flow:to server,established; content:`GET`; http method; content:`.php?role `; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Curso Banker.BR Checkin`; flow:established,to server; content:`.asp?m `; http uri; fast pattern; pcre ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SPEAR CnC Beacon`; flow:to server,established; content:`GET`; http method; content:`.asp?`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE PUP Win32/ELEX Checkin`; flow:established,to server; content:`GET`; http method; content:`/v`; depth ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Possible CVE 2020 8518 (Horde Groupware RCE)`; flow:established,to server; content:`POST` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Suspected Android Youzicheng Proxy Activity`; flow:established,to server; urilen:17; content ...
alert tcp $HOME NET any $EXTERNAL NET 25 (msg:`ET TROJAN MiniDuke CnC Beacon (string2 slide 2 2)`; flow:established,to server; content:`A`; content:`z`; within ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt`; flow ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Curso Banker Downloading Modules`; flow:to server,established; content:`GET`; http method; content:` ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`wind.windmilldrops.com`; nocase; depth:22; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt`; flow ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ironhalo CnC Beacon`; flow:established,to server; content:`GET`; http method; content:`.php`; http uri ...
alert tcp $HOME NET any $EXTERNAL NET 25 (msg:`ET TROJAN MiniDuke CnC Beacon (string2 slide 3 1)`; flow:established,to server; content:`AMzRmWj`; content:`d`; within ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS WordPress wp admin/admin.php Module Configuration Security Bypass Attempt`; flow:established ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`compdate.my03.com`; nocase; depth:17; isdataat ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`jocoly.esvnpe.com`; nocase; depth:17; isdataat ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER SHOW CHARACTER SET SQL Injection Attempt in URI`; flow:established,to server; content:`SHOW` ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`bur.vueleslie.com`; nocase; depth:17; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY QQ Browser WUP Request qbpcstatf.stat`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`feb.kkooppt.com`; nocase; depth:15; isdataat ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER LANDesk Command Injection Attempt`; flow:established,to server; content:`POST`; http method; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`bmy.hqoohoa.com`; nocase; depth:15; isdataat ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY QQ Browser WUP Request qbkpireportbakf.stat`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Achievo userid Variable DELETE FROM SQL Injection Attempt`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Achievo userid Variable INSERT INTO SQL Injection Attempt`; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt`; flow ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspected SandCat Related Communication (POST)`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Joomla Component com banners banners.class.php Remote File inclusion Attempt`; flow:to ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Potential Wordpress local file disclosure vulnerability`; flow:established,to server; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android Trojan Command and Control Communication`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE 2020 10189)`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE 2020 9054) M2`; flow:established,to server; content:`POST`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE 2020 9054) M1`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Suspected SandCat Related CnC`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PXJ Ransomware CnC Activity`; flow:established,to server; content:`GET`; http method; content:`/do.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Lookup (ipify .org)`; flow:established,to server; content:`/?format `; depth:9; http uri ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage`; flow:established,to server; content:`/SubmitWTF ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Potential Wordpress local file disclosure vulnerability`; flow:established,to server; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS SiteloomCMS mailform 1 variable Cross Site Scripting Attempt`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS PHP Fusion mguser fotoalbum album id Parameter DELETE FROM SQL Injection Attempt`; flow ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cridex Post to CnC`; flow:established,to server; content:`POST`; http method; content:` 0d 0a 0d 0a de ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET DELETED MonetizeUs Outbound Activity Observed M1`; flow:established,to server; content:`GET`; http method; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability`; flow:established,to server ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET DELETED MonetizeUs Outbound Activity Observed M2`; flow:established,to server; content:`GET`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ViperSoftX CnC Activity M2`; flow:established,to server; content:`x header 3a 20 viperSoftx `; http header ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA`; flow:established,to server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible FakeAV Binary Download (Security)`; flow:established,to client; content:`filename 22 `; nocase ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ViperSoftX CnC Activity M1`; flow:established,to server; content:`User Agent 3a 20 viperSoftx `; http ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS NuclearPack JAR Naming Algorithm`; flow:established,to client; content:` Disposition 3a inline ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Generic 8Char.JAR Naming Algorithm`; flow:established,to client; content:` Disposition 3a 20 inline ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS TDS Sutra cookie is set RULEZ`; flow:established,to server; content:`sutraRULEZcookiessupport ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TDS Sutra cookie set RULEZ`; flow:established,from server; content:`sutraRULEZcookiessupport ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET SCAN Apache mod proxy Reverse Proxy Exposure 2`; flow:established,to server; content:` 3a @`; http uri; ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN MSIL/Firebird RAT CnC Checkin`; flow:established,to server; dsize: Added 2020 03 12 00:25:49 UTC
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET SCAN libwww perl GET to // with specific HTTP header ordering without libwww perl User Agent`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt 1`; flow:established,to server ...
alert dns any any $HOME NET any (msg:`ET TROJAN MalDoc Retrieving msiexec Commands via DNS TXT`; content:` 00 01 00 01 00 00 00 00 `; offset:4; depth:8; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android Trojan Fake10086 checkin 1`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS eyeOS file Parameter Local File Inclusion Attempt`; flow:established,to server; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)`; flow:from server,established; tls cert subject; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET DELETED MonetizeUs Outbound Activity Observed M2`; flow:established,to server; content:`GET`; http method; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)`; flow:from server,established; tls cert subject; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET DELETED MonetizeUs Outbound Activity Observed M1`; flow:established,to server; content:`GET`; http method; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS joomla com edir controller parameter Local File Inclusion vulnerability`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object`; flow:established,to server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Generic IOT Downloader Malware in GET (Inbound)`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Generic IOT Downloader Malware in GET (Outbound)`; flow:established,to server; content:`GET`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed JS/Skimmer (likely Magecart) CnC Domain in DNS Lookup`; dns query; content:`imprintcenter.com`; nocase ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query`; dns query; content:`cybermon.fortigatecloud.com`; nocase; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Mattermost API Usage`; flow:established,to server; content:`GET`; http method; content:`/api/v4/teams ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed JS/Skimmer (likely Magecart) Domain (imprintcenter .com in TLS SNI)`; flow:established,to server ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MalDoc 2020 03 09)`; flow:established,to client; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Zbot Generic URI/Header Struct .bin`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SmokeLoader Checkin`; flow:established,to server; content:`POST`; http method; content:`.php`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/LODEINFO CnC Checkin`; flow:established,to server; urilen:1; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object`; flow:established,to ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Inbound MonetizeUs/LNKR Struct`; flow:established,from server; content:`200`; http stat code; file data ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/COOKIEBAG Cookie APT1 Related`; flow:established,to server; http start; content:` 0a Cookie 3a ...
alert http any any $HTTP SERVERS any (msg:`ET WEB SERVER Magento XMLRPC Exploit Attempt`; flow:established,to server; content:`POST`; nocase; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Pakes2 EXE Download Request`; flow:established,to server; urilen: Added 2020 03 09 21:02:07 UTC ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Alina Server Response Code`; flow: established,from server; http response line; content:` 666 OK`; fast ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible CVE 2013 0156 Ruby On Rails XML POST to Disallowed Type SYMBOL`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS GrandSoft PDF Payload Download`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FlimKit Post Exploit Payload Download`; flow:to server,established; urilen:17; content:`POST ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible CVE 2013 0156 Ruby On Rails XML POST to Disallowed Type YAML`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT NGO wuaclt`; flow:to server,established; content:`/pics/`; http uri; content:`.asp?id `; http uri ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS MoinMoin twikidraw Action Traversal File Upload`; flow:to server,established; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Variant.Kazy.174106 Checkin`; flow:established,to server; content:`GET`; http method; content:`.php?T ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Redyms.A Checkin`; flow:to server,established; content:`POST`; http method; content:`.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Potential Internet Explorer Use After Free CVE 2013 3163 Exploit URI Struct 1`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Related Host Data Exfil`; flow:established,to server; content:` p1 `; http raw uri; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Win32.Agent.myttae User Agent`; flow:established,to server; content:`User Agent 3a 20 Gdog 0d ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Legion Loader Activity Observed (heil moloch)`; flow:established,to server; content:`User Agent 3a 20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Bisonal CnC Checkin`; flow:established,to server; content:`.txt`; http uri; content:`User Agent ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Banking Trojan HTTP Cookie`; flow:established,to server; content:`tcpopunder`; http cookie; fast pattern ...
alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET TROJAN Common Upatre URI/Headers Struct`; flow:established,to server; urilen: Added 2020 03 06 18:55:21 UTC ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex POST CnC Beacon 2`; flow:established,to server; urilen:1; content:`POST`; http method; pcre:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Snake rootkit usermode centric client request`; flow:to server,established; content:`/1/6b 558694705129b01c0 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MWI Maldoc Stats Callout Oct 28`; flow:established,to server; content:`/pict.`; http uri; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Onion2Web Tor Proxy Cookie`; flow:established,to server; content:`onion2web confirmed `; http cookie ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Ursnif Checkin`; flow:established,to server; content:`POST`; http method; content:` 0d 0a Content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework POST`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Possible MSXMLHTTP Request (no .exe)`; flow:to server,established; content:!`.exe`; nocase; http uri; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Nivdort Posting Data 2`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Potentially Unwanted Application AirInstaller`; flow:to server,established; urilen: 31; content:`GET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Stobox Connectivity Check`; flow:established,to server; content:`/windowsupdate/v6/thanks.aspx?ln en ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PSEmpire Checkin via POST`; flow:to server,established; urilen:14; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Cohhoc RAT CnC Response`; flow:established,from server; content:`Content Length 3a 20 64 0d 0a `; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex Post Checkin Activity 2`; flow:established,to server; urilen:20100; content:!`Referer 3a `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET WEB SERVER FOX SRT Backdoor CryptoPHP Shell C2 POST`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32.Chroject.B Retrieving encoded payload`; flow:to server,established; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android Trojan Pegasus CnC Beacon`; flow:to server,established; content:`POST`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Realted Host Data Exfil`; flow:established,to server; content:` p1 `; http raw uri; pcre:`/^ ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup`; dns query; content:`.boyput.site`; nocase; isdataat:1,relative; reference ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kazuar CnC Beacon`; flow:established,to server; content:`GET`; http method; content:!`Accept`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Red Leaves HTTP CnC Beacon (APT10 implant)`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Polaris Botnet User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 polaris ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Magniber Ransomware Retrieving Instructions`; flow:established,to client; content:`200`; http stat code ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup`; dns query; content:`.byteson.space`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Turla Carbon Paper CnC Beacon (Fake User Agent)`; flow:established,to server; content:`GET` ...
alert http $HOME NET any $EXTERNAL NET 443,7080,8080 (msg:`ET TROJAN W32/Emotet CnC Beacon 1`; flow:established,to server; urilen:1; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Related Host Data Exfil`; flow:established,to server; content:`GET`; http method; content:`/wp ...
alert http $HOME NET any $EXTERNAL NET 443,7080,8080 (msg:`ET TROJAN W32/Emotet CnC Beacon 2`; flow:established,to server; urilen:1; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET 7080,8080,443 (msg:`ET TROJAN W32.Geodo/Emotet Checkin`; flow:established,to server; content:`GET`; http method; urilen ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Polaris Botnet User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 polaris botnet`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/Runsome Ransomware CnC Checkin`; flow:established,to server; content:`.php?name `; http uri; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/OzazaLocker Ransomware CnC Checkin`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Quant Loader Download Request`; flow:to server,established; content:`GET`; http method; content:`/index ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2`; flow:established,to server; urilen ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Fake AV Phone Scam Landing Apr 4`; flow:to client,established; content:`200`; http stat code; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non standard filename (some overlap with 2021752 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Pottieq.A Check in`; flow:established,to server; content:`POST`; http method; content:`pc `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN IrcBot Downloading .old`; flow:established,to server; http start; content:`.old 20 HTTP/1.1 0d 0a Host ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016`; flow:to server,established; urilen: Added 2020 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FOX SRT ShimRat check in (Yuok)`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)`; flow:established,to server ...
alert http any any $HOME NET any (msg:`ET EXPLOIT NETGEAR WNR2000v5 hidden lang avi Stack Overflow (CVE 2016 10174)`; flow:to server,established; content:`/lang ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/Adware.Adposhel.A Checkin 4`; flow:established,to server; content:`a `; depth:2; http client body ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FOX SRT ShimRat check in (Data)`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Pony DLL Download`; flow:established,to server; content:`/pm`; http uri; pcre:`/^\d ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Suspicious Proxifier DL (non browser observed in maldoc campaigns)`; flow:established,to server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt`; flow:established,to server; urilen:6; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT FireEye Detection Evasion attempt Inbound`; flow:to server,established; content:`%`; http raw uri ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Keitaro TDS Redirect`; flow:established,from server; content:`302`; http stat code; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SERVER WeBaCoo Web Backdoor Detected`; flow:to server,established; content:`GET`; http method; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Andromeda Download`; flow:from server,established; flowbits:isset,ET.andromeda; content:`200`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linux/Torte Downloading Binary`; flow:established,to server; urilen:8; content:`/crond`; http uri; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Quant Loader Download Request`; flow:to server,established; content:`GET`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Hancitor/Tordal Document Request`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Bingo EK Payload Download`; flow:established,to server; urilen:116; content:`/?`; depth:2; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outdated Flash Version M2`; flow:established,to server; content:`X Requested With 3a 20 ShockwaveFlash ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Maldoc Downloader Aug 18 2017`; flow:established,to server; content:`/s.php?id `; http uri; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Locky VB/JS Loader Download Sep 08 2017`; flow:established,from server; file data; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Jun 13 2017`; flow:established,to server; urilen: 90; content:`/?`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS SUSPICIOUS Possible CVE 2017 0199 IE7/NoCookie/Referer HTA dl`; flow:to server,established; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Unknown CnC`; flow:to server,established; content:`POST`; http method; urilen:7; content:`tinba/`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/LoadMoney Adware Activity`; flow:to server,established; content:`POST`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Bitshifter Ransomware CnC Checkin`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET ATTACK RESPONSE Possible BeEF HTTP Headers Inbound`; flow:established,from server; content:`Content Type 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Lucifer Loader Requesting Payload`; flow:established,to server; urilen:15; content:`/demonsgate.php` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Nemucod JS Downloader June 12 2017`; flow:established,to server; pcre:`/\/ A Za z0 9 {5,7}\? ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Jaff Ransomware Checkin M1`; flow:to server,established; urilen:4; http header names; content:` 0d 0a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Spelevo EK Post Compromise Data Dump`; flow:to server,established; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO EXE Downloaded from Github`; flow:established,to client; content:`200`; http stat code; http header names ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart)`; flow:from server,established; tls cert subject; content:`CN sucuritester ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (easyhttp client)`; flow:established,to server; content:`easyhttp client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Baldr Stealer Checkin M2`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart)`; flow:from server,established; tls cert subject; content:`CN reportgns ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Router EK Landing Page Inbound 2019 05 24`; flow:established,from server; content:`200 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Lookup (avast .com)`; flow:established,to server; content:`GET`; http method; content:`ip ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CROSSWALK CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`/QUERY/`; http ...
alert http $EXTERNAL NET any any any (msg:`ET INFO Generic IOT Downloader Malware in POST (Inbound)`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET POLICY Observed External IP Lookup SSL Cert`; flow:from server,established; tls cert subject; content:`.iplocation ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded`; flow:established,to client; file data; content:`MZ ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Generic IOT Downloader Malware in POST (Outbound)`; flow:established,to server; content:`POST`; http method ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Get2 CnC)`; flow:established,to client; tls cert subject; content:`CN into ...
alert http any any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS DNN DNNPersonalization Cookie RCE Attempt (CVE 2017 9822)`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS WordPress Plugin Pie Register SQL Injection`; flow:established,to server; content:`/wp ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan Dropper.Delf Checkin`; flow:established,to server; content:`/autoupdate/versaoatual.txt`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Nemucod JS Downloader Aug 01 2017`; flow:established,to server; pcre:`/\/ A Za z0 9 {5,9}\? ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Tinba (Banking Trojan) Check in`; flow:established,to server; content:`Mozilla/5.0 (compatible ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Locky CnC Checkin`; flow:to server,established; urilen:14; content:`POST`; http method; content:`/imageload ...
alert http any any $HOME NET 5984 (msg:`ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE 2017 12635)`; flow:established,to server,only stream; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN YordanyanActiveAgent CnC Reporting`; flow:established,to server; content:`GET`; http method; content ...
alert http any any $HOME NET 5984 (msg:`ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE 2017 12636)`; flow: established,to server,only stream; urilen ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible CVE 2013 2618 Attempt (PHP Weathermap Persistent XSS)`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE C2P.Qdc Ransomware CnC Beacon`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PTsecurity Win32/SocStealer.Socelars C2 Response`; flow:established,to client; content:`200`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY IP Check (rl. ammyy. com)`; flow:to server,established; urilen:1; content:`rl.ammyy.com`; http host; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Suspicious Wordpress Redirect Possible Phishing Landing Jan 7 2016`; flow:to client,established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Google Chrome XSS (CVE 2017 5124)`; flow:from server,established; content:`Content Type 3a 20 multipart ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Trojan Banker.AndroidOS.RedAlert CnC Beacon`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trickbot Payload Request`; flow:to server,established; content:`GET`; http method; pcre:`/^\/(?:kas ser ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Powershell commands sent when remote host claims to send an image `; flow:established,from server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Mar 13 2017 M2`; flow:established,to server; urilen: 90; content:`QMvXcJ`; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS GitList Argument Injection`; flow:established,to server; content:`query open files in ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Spora Ransomware Checkin`; flow:to server,established; content:`POST`; http method; content:` XDATABASE64ENCRYPTED ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Pony Payload DL`; flow:established,to server; content:`/inst.exe`; http uri; fast pattern; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan.Kwampirs Outbound GET request`; flow:to server,established; urilen: 21; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT28 Uploader Variant CnC Beacon`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WSF/JS Downloader Jan 30 2017 M1`; flow:to server,established; urilen: 65; content:`/counter/?`; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Mar 13 2017`; flow:established,to server; urilen: 90; content:`oq `; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Locky CnC Checkin Dec 5 M1`; flow:to server,established; urilen:12; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO IE7UA No Cookie No Referer`; flow:to server,established; content:`User Agent 3a 20 Mozilla/4.0 (compatible ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FETCH CnC Beacon`; flow:established,to server; content:`GET`; http method; content:`.aspx?n `; http uri ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed GoBotKR Domain in TLS SNI`; flow:established,to server; tls sni; content:`higamebit.com`; depth ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed GoBotKR Domain in TLS SNI`; flow:established,to server; tls sni; content:`helloking.site`; depth ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed GoBotKR Domain in TLS SNI`; flow:established,to server; tls sni; content:`bitgamego.com`; depth ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Magecart Domain (webscriptly .com in TLS SNI)`; flow:established,to server; tls sni; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed GoBotKR Domain in TLS SNI`; flow:established,to server; tls sni; content:`jtbcsupport.site`; ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed GoBotKR Domain in TLS SNI`; flow:established,to server; tls sni; content:`kingdomain.site`; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain in DNS Lookup`; dns query; content:`webscriptly.com`; nocase; depth:15; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET WEB SERVER FOX SRT Backdoor CryptoPHP Shell C2 POST (fsockopen)`; flow:established,to server; content:`POST ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OHT AnunakAPT HTTP Checkin 1`; flow:established,to server; content:`GET`; http method; urilen: 100 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Tinba Checkin`; flow:established,to server; content:`POST`; http method; content:` 0d 0a 0d 0a `; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Zbot POST Request to C2`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
#alert http $HOME NET any $HTTP SERVERS any (msg:`ET EXPLOIT SolusVM WHMCS CURL Multi part Boundary Issue`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET TROJAN China Chopper Command Struct`; flow:to server,established; content:`POST`; nocase; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query`; dns query; content:`app.dynamicrosoft.com`; nocase; isdataat ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query`; dns query; content:`home.mwbsys.org`; nocase; isdataat:1,relative ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Get2 CnC)`; flow:established,to client; tls cert subject; content:`CN rdmsom ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Win32/Dervec.gen Connectivity Check to Google`; flow:established,to server; content:`HOST 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Onliner Receiving Commands from CnC`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Elise CnC Beacon 3 M2`; flow:to server,established; content:`GET`; http method; content:`.html ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (\xa4)`; flow:established,to server; content:` 0d 0a User Agent 3a 20 a4 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible APT28 Xtunnel Activity`; flow:established,to server; content:`GET`; http method; content:`Mozilla ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex Post Check in Activity`; flow:established,to server; content:`POST`; http method; content:`Mozilla ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MalDoc Retrieving Possible Ostap Payload`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Possible Attempted Microsoft Exchange RCE (CVE 2020 0688)`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Qbot/Quakbot Downloader Requesting Secondary Download`; flow:established,to server; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Jaff Ransomware Checkin`; flow:to server,established; content:`GET`; http method; content:`fkksjobnn43 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Feb 26 2017`; flow:established,to server; urilen: 90; content:`oq `; http uri ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Bit.do Shortened Link Request to EXE`; flow:established,to client; flowbits:isset,ET.bit.do.shortener; ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Baraka Ransomware CnC activity email SMTP`; flow:established,to server; content:` 0d 0a 0d 0a info / ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Bit.do Shortened Link Request (set)`; flow:established,to server; content:`GET`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WS/JS Downloader Mar 07 2017 M2`; flow:established,to server; content:`/counter/?`; http uri; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M5`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Possible Psiphon Proxy Tool traffic`; flow:established,to server; urilen:1; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Enigma Locker Checkin`; flow:to server,established; urilen:8; content:`GET`; http method; content:`/get ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M3`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN JS/Nemucod requesting EXE payload 2016 02 06`; flow:established,to server; content:`.vbn`; http uri; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M8`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Trojan Banker.AndroidOS.Marcher.a Checkin`; flow:to server,established; content:`POST`; http ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET WEB SERVER Possible Darkleech C2`; flow:established,to server; content:`/blog/?`; http uri; depth:7; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M9`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN abdullkarem Wordpress PHP Scanner`; flow:established,to server; content:`GET`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M2`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M4`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M7`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M1`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sharik/Smoke CnC Beacon 3`; flow:established,to server; urilen:1; pcre:`/^ \x20 \x7e\r\n {0,20} ^\x20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M6`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http any any $HOME NET any (msg:`ET EXPLOIT Unknown Router Remote DNS Change Attempt`; flow:established,to server; urilen:10; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Moose CnC Request M2`; flow:to server,established; urilen:1; content:`GET`; http method; content:`PHPSESSID ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Suspicious User Agent (VB OpenUrl)`; flow:to server,established; content:`VB OpenUrl`; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Ads2Srv Bundle Installer Offer Request`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE YoutubeDownloaderGuru.A Variant CnC Activity`; flow:established,to server; content:`GET`; http method ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Ursnif Domain in TLS SNI`; flow:established,to server; tls sni; content:`atooioplap.xyz`; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/YTDDownloader.F Variant CnC Activity`; flow:established,to server; content:`GET`; http method ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Ursnif Domain in TLS SNI`; flow:established,to server; tls sni; content:`atooioplapatooioplap ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Evil Redirector Leading to EK Dec 22 2014 Search`; flow:established,to server; content:`/search ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS VBScript Driveby Related TDS MAR 31 2015`; flow:established,to server; content:`/content/getvbslink ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Spartan EK Secondary Flash Exploit DL`; flow:established,from server; content:` 43 6f 6e 74 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity MSIL/Biskvit.A Check in`; flow:established,to server; urilen:15; content:`POST`; http method ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M1`; flow:established,from server; content:`Server 3a ...
#alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET CURRENT EVENTS Sweet Orange EK Flash Exploit IE March 03 2015`; flow:established,to server; urilen: 12; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil JS iframe Embedded In GIF`; flow:established,from server; file data; content:`GIF89a ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN GoLang Discord Token Grabber Exfil`; flow:established,to server; content:`GET`; http method; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)`; flow:established,from server; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Magnitude CVE 2015 3113 Jun 29 2015 M1`; flow:established,to server; urilen:10; content:`/video ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)`; flow:established,from server; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Probable malicious download from e mail link /1.php`; flow:established,to server; content:`GET ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Evil Redirector Leading to EK Dec 22 2014 Video`; flow:established,to server; content:`/video ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN JS/Ostap Maldoc Check in`; flow:established,to server; content:`GET`; http method; content:`.php?g ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Legion Loader Activity Observed (heil satan)`; flow:established,to server; content:`User Agent 3a 20 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor`; flow:established,to server; content:`{ 22 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Fiesta EK Landing URI Struct March 6 2015`; flow:established,to server; urilen: 40; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious Doc Downloading EXE`; flow:established,from server; flowbits:isset,ET.MalDocEXEPrimer ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Enom Phish Mar 08 2016`; flow:to server,established; content:`POST`; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Cushion Redirection URI Struct Mon Jan 05 2015`; flow:established,to server; urilen:13; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY OnePlus phone data leakage`; flow:to server,established; content:`POST`; http method; content:`/cloud ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS KaiXin Secondary Landing Page`; flow:to server,established; content:`/main.html`; http uri; ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response (Outbound) 3`; flow:established,to client; file data; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Portal TDS Kit GET`; flow:established,to server; content:`GET`; nocase; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Zuponcic Hostile Jar`; flow:established,to server; content:`Host 3a 20 `; http header; content ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS BHEK q.php iframe outbound`; flow:established,to client; file data; content:`/q.php`; fast ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Internet Explorer CVE 2014 6332 Common Construct b64 3 (Observed in Archie EK)`; flow ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response (Outbound) 1`; flow:established,to client; file data; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Nuclear EK Redirect Sept 18 2014`; flow:established,to server; content:`.php?ds `; http uri ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Java Applet JNLP applet ssv validated in Base64 2`; flow:established,to client; file ...
#alert udp $EXTERNAL NET any $HOME NET 161 (msg:`ET CURRENT EVENTS Possible Inbound SNMP Router DoS (TTL 1)`; byte jump:1,6; content:` a3 `; within:1; content: ...
Number of topics: 500
Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2014-01-10 - JinsuNa?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats