EmergingThreats> Main Web>RuleChanges (revision 4)EditAttach

Last 50 Rule Changes

Results from Main web retrieved at 05:01 (GMT)

#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Self Signed SSL Cert Used in Conjunction with Neosploit`; flow:from server,established; content ...
#alert tcp $HOME NET any $EXTERNAL NET 21 (msg:`ET TROJAN IrcBot Downloading Files via FTP`; flow:established,to server; content:`RETR scrypt13`; depth:13; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Windows WMIC COMPUTERSYSTEM get Microsoft Windows DOS prompt command exit OUTBOUND`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Credit Card Information Phish 2019 11 04`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Generic Multi Email Phishing Landing 2018 08 30`; flow:established,to client; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Windows WMIC SERVER get Microsoft Windows DOS prompt command exit OUTBOUND`; flow:established,to server ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)`; flow:established,to server; content:` 41 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible ReactorBot .bin Download`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from MSXMLHTTP non exe extension M2`; flow:established,to client; file ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)`; flow:established,from server; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2`; flow:established,to client; file ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from WinHttpRequest non exe extension`; flow:established,to client; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET CURRENT EVENTS Possible Magento Directory Traversal Attempt`; flow:established,to server; content:`GET` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Pony DLL Download`; flow:established,to server; content:`/pm`; http uri; pcre:`/^\d ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Malicious wininet UA Downloading EXE`; flow:established,from server; flowbits:isset,ET ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Download file with BITS via LNK file (Likely Malicious)`; flow:established,from server; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2`; flow:to server,established; content:`GET` ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)`; flow:established,from server; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible malicious zipped executable`; flow:established,from server; file data; content:`PK ...
alert tcp $EXTERNAL NET 445,139 $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download (SMB)`; flow:to client,established; content:`Software 5c ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Common Bad Actor Indicators Used in Various Targeted 0 day Attacks`; flow:from server,established ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FlashPack Payload Download Oct 29`; flow:established,to server; content:`/lofla1.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS rechnung zip file download`; flow:established,to server; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Fake Codec Download`; flow:established,to server; content:`/Setup.exe?tid `; http uri ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CryptoLocker TorComponent DL`; flow:from server,established; flowbits:isset,FakeIEMinimal ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible FakeAV binary download (setup)`; content:`GET`; http method; content:`index.php?key ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS ehow/livestrong Malicious Flash 10/11`; flow:established,to server; urilen:13; content:`.swf ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious Doc Downloading EXE`; flow:established,from server; flowbits:isset,ET.MalDocEXEPrimer ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS ZeroLocker EXE Download`; flow:established,from server; flowbits:isset,ET.http.binary; file ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Malicious Cookie Set By Flash Malvertising`; flow:established,to server; content:` 0d 0a Cookie ...
#alert tcp $EXTERNAL NET 443,$HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS TorExplorer Certificate Potentially Linked To W32/Cryptowall.Ransomware`; flow ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download (UNICODE)`; flow:to client,established; file data; content:`S ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TecSystems (Possible Mask) Signed PE EXE Download`; flow:established,to client; flowbits:isset ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Trojan Multi part Macro Download M1`; flow:established,from server; file data; content ...
#alert tcp $HTTP SERVERS any $EXTERNAL NET 21 (msg:`ET CURRENT EVENTS Fredcot campaign payload download`; flow:to server,established; content:`PASS fredcot123 0d ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Metasploit 2013 3346`; flow:established,from server; file data; content:`5 0 R 0a endobj 0a 5 0 obj ...
alert tcp $EXTERNAL NET 445,139 $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download (SMB UNICODE)`; flow:to client,established; content:`S 00 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download`; flow:to client,established; file data; content:`Software 5c ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious JAR olig`; flow:established,from server; content:` 00 00 META INF/PK 0a `; fast pattern ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious iframe`; flow:established,from server; file data; content:`).) ? \r\n\s name \r\n ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Unknown Java Malicious Jar /eeltff.jar`; flow:to server,established; content:`/eeltff ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS .HTM being served from WP 1 flash gallery Upload DIR (likely malicious)`; flow:established,to ...
#alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET CURRENT EVENTS Possible Sakura Jar Download Oct 22 2013`; flow:to server,established; content:!`.jar`; http ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS MALVERTISING Alureon Malicious IFRAME`; flow:established,to client; file data; content:`name ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible FortDisco POP3 Site list download`; flow:established,to server; content:`GET`; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown java ara Bin Download`; flow:established,to server; content:`java ara name `; http uri ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Tor2Web .onion Proxy Service SSL Cert (2)`; flow:established,from server; tls cert subject; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS MALVERTISING OpenX BrowserDetect.init Download`; flow:established,to client; content:`OAID ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS MALVERTISING Flash URI /loading?vkn `; flow:established,to server; content:`/loading?vkn ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Excel with Embedded .emf object downloaded`; flow:established,to client; file data; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Incognito Malicious PDF Requested /getfile.php`; flow:established,to server; content:`/getfile ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious iframe`; flow:established,from server; file data; content:`).) ? \r\n\s name \r\n ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS CVE 2014 6332 Sep 01 2016 (HFS Actor) M2`; flow:established,from server; content:`Server 3a 20 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Facebook password stealing inject Jan 04`; flow:from server,established; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil JavaScript Injection Sep 29 2015`; flow:established,to client; file data; content:` 76 61 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS CVE 2014 6332 Sep 01 2016 (HFS Actor) M1`; flow:established,from server; file data; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY EXE Embeded in Page Likely Evil M2`; flow:established,from server; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CVE 2014 6332 DECS2`; flow:established,from server; file data; content:`102,117,110 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY GENERIC CollectGarbage in Hex String No Seps`; flow:to client,established; file data ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible vBulletin object injection vulnerability Attempt`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CVE 2014 6332 Arrays with Offset Dec 23`; flow:established,from server; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY GENERIC ShellExecute in URLENCODE`; flow:to client,established; file data; content:` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps`; flow:to client,established; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13 3`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13 4`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS StyX Landing Jan 29 2014`; flow:from server,established; file data; content:` ^\s )\s ? \s ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS EXE Accessing Kaspersky System Driver (Possible Mask)`; flow:established,to client; flowbits ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN TSPY POCARDL.U Possible FTP Login`; flow:established,to server; content:`USER user drupalzf`; reference ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS W32/Caphaw DriveBy Campaign Statistic.js`; flow:established,to server; content:`/statistic.js ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Obfuscation Technique Used in CVE 2014 0322 Attacks`; flow:established,from server; file data ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS W32/Caphaw DriveBy Campaign Ping.html`; flow:established,to server; content:`/ping.html?id ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlashPack Secondary Landing Oct 29`; flow:established,from server; file data; content:`Windows ...
alert udp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE 2014 0195`; content:` 16 fe fd 00 00 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Fake Trojan Dropper purporting to be missing application page landing`; flow:established,from ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Generic URLENCODED CollectGarbage`; flow:established,from server; file data; content ...
alert udp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE 2014 0195`; content:` 16 01 00 00 ...
alert udp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE 2014 0195`; content:` 16 fe ff 00 00 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FaceBook IM Web Driven Facebook Trojan Download`; flow:established,to server; content:`/dlimage4 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Rawin Flash Landing URI Struct March 05 2014`; flow:established,to server; content:`.php?b ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HanJuan Landing Dec 10 2014`; flow:established,from server; file data; content:` 27 .replace ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible FortDisco Wordpress Brute force Site list download 10 wp login.php`; flow:established ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Browlock Landing Page URI Struct`; flow:to server,established; content:`/?flow id`; http uri ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13 2`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Escaped Unicode Char in Location CVE 2012 4792 EIP % Hex Encode`; flow:established,from server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Injection var j 0`; flow:established,to client; file data; content:`00 3a 00 3a 00 3b path ...
#alert http $EXTERNAL NET 80 $HOME NET any (msg:`ET CURRENT EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013`; flow:established,from server; file ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Escaped Unicode Char in Window Location CVE 2012 4792 EIP`; flow:established,from server; file ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; flowbits ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS NeoSploit Version Enumerated null`; flow:established,to server; urilen:85; content:`/null ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit/Other Landing Page 100HexChar value and applet`; flow:established,to client; file ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS SofosFO/NeoSploit possible second stage landing page`; flow:established,to server; urilen: 25 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Drupal Mass Injection Campaign Inbound`; flow:established,from server; file data; content:`if ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS NeoSploit Version Enumerated Java`; flow:established,to server; urilen: 85; content:`/1 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown s 1 Landing Page 10HexChar Title and applet`; flow:established,to client; file data ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Metasploit CVE 2013 0422 Jar`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown s 1 Landing Page 100HexChar value and applet`; flow:established,to client; file ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Drupal Mass Injection Campaign Outbound`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Lilupophilupop Injected Script Being Served to Client`; flow:established,to client; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Base64 Landing Page Received base64encode(GetOs()`; flow:established,to client; content ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests upload.wikimedia.com. `; content:` 06 upload 09 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS landing page with malicious Java applet`; flow:established,from server; file data; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Phoenix landing page JAVASMB`; flow:established,to client; file data; content:`JAVASMB()`; classtype ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Nikjju Mass Injection Compromised Site Served To Local Client`; flow:established,from server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Driveby Delivered Malicious PDF`; flow:established,from server; file data; content:`%PDF ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FoxxySoftware Landing Page Received foxxysoftware`; flow:established,to client; content ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests photobucket.com. `; content:` 0b photobucket 03 ...
#alert http $HOME NET any $HOME NET any (msg:`ET CURRENT EVENTS Nikjju Mass Injection Internal WebServer Compromised`; flow:established,from server; file data; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY PDF Containing Subform with JavaScript`; flow:established,to client; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious 1px iframe related to Mass Wordpress Injections`; flow:established,from server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Lilupophilupop Injected Script Being Served from Local Server`; flow:established,from server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Modified Metasploit Jar`; flow:from server,established; flowbits:isset,ET.http.javaclient.vulnerable ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FoxxySoftware Landing Page Received applet and 0px`; flow:established,to client; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS User Agent used in Injection Attempts`; flow:established,to server; content:`User Agent 3a ...
#alert http $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Malvertising drive by kit encountered Loading...`; flow:established,to client; content ...
#alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET CURRENT EVENTS Request to malicious info.php drive by landing`; flow:established,to server; content ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests wordpress.com. `; content:` 09 wordpress 03 com ...
#alert http $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Driveby bredolab hidden div served by nginx`; flow:established,to client; content:` ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Known Injected Credit Card Fraud Malvertisement Script`; flow:established,to client; content ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests img.youtube.com. `; content:` 03 img 07 youtube ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Internal WebServer Compromised By Lizamoon Mass SQL Injection Attacks`; flow:established ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests blogger.com. `; content:` 07 blogger 03 com`; ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests flickr.com. `; content:` 05 flickr 03 com`; nocase ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS WindowsLive Imposter Site Landing Page`; flow:established,from server; content:`MWL`; classtype ...
#alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET CURRENT EVENTS Possible Neosploit Toolkit download`; flow:established,to server; content:`GET`; nocase ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS cssminibar.js Injected Script Served by Local WebServer`; flow:established,from server; ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests picasa.com. `; content:` 06 picasa 03 com`; nocase ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Sidename.js Injected Script Served by Local WebServer`; flow:established,from server; content ...
#alert icmp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Gimmiv Infection Ping Inbound`; icode:0; itype:8; dsize:20; content:`abcde12345fghij6789`; reference ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert Oct 24 2014`; flow:established,from server; content:` 16 `; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Acunetix scan in progress acunetix variable in http uri`; flow:established,to server; content:` 24 acunetix ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert www.eshaalfoundation.org`; flow:established,from server; content:` 16 ...
#alert udp $HOME NET any $EXTERNAL NET 53 (msg:`ET CURRENT EVENTS Possible Upatre DNS Query (jamco.com.pk)`; content:` 01 00 00 01 00 00 00 00 00 00 `; depth:10 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HT SWF Exploit RIP`; flow:established,from server; file data; content:``; content:`getEnvInfo ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FlashPack Flash Exploit Nov 20 2014`; flow:established,to server; content:`/Main.swf`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HT SWF Exploit RIP M2`; flow:established,from server; file data; content:``; content:`return ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert glynwedasia.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mypreschool.sg`; flow:established,from server; content:` 55 04 03 ` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT AsusWRT RT AC750GF Cross Site Request Forgery`; flow:from server,established; file data; content:`` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt`; flow:established,to server; content:`/action?dns status ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert www.tradeledstore.co.uk`; flow:established,from server; content:` 55 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Acunetix scan in progress acunetix wvs security test in http uri`; flow:established,to server; content ...
#alert http $HOME NET any 216.157.99.0/24,72.51.32.0/20,76.74.152.0/21 any (msg:`ET CURRENT EVENTS Possible HanJuan Flash Exploit`; flow:to server,established ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert santa.my`; flow:established,from server; content:` 55 04 03 `; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Elasticsearch CVE 2015 1427 Exploit Campaign SSL Certificate`; flow:established,from ...
alert http any any $HOME NET any (msg:`ET EXPLOIT D Link DSL 2740R Remote DNS Change Attempt`; flow:established,to server; content:`GET`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Common URI Struct Feb 12 2015`; flow:established,to server; content:`GET`; http method ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert vcomdesign.com`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert walletmix.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert paydaypedro.co.uk`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert udderperfection.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert plastics technology.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert itiltrainingcertworkshop.com`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert chatso.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert slmp 550 105.slc.westdc.net`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert picklingtank.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert worldbuy.biz`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls 66.147.244.132 any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert bluehost.com Aug 27 2014`; flow:established,from server; content:` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert deserve.org.uk`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert turnaliinsaat.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert efind.co.il`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mdus pp wb12.webhostbox.net`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert bloodsoft.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert uleideargan.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert technosysuk.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tristacey.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert trainthetrainerinternational.com`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tridayacipta.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ssshosting.net`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert nbc mail.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert hebergement solutions.com`; flow:established,from server; content:` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert dominionthe.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert erotikturk.com`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert pejlain.se`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert eastwoodvalley.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert abarsolutions.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert dineshuthayakumar.in`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert sportofteniq.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert delanecanada.ca`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert adoraacc.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert lingayasuniversity.edu.in`; flow:established,from server; content:` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mtnoutfitters.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert jojik international.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ns2.sicher.in`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ara photos.net`; flow:established,from server; content:` 55 04 03 ` ...
#alert tcp $HOME NET any $EXTERNAL NET 25,587 (msg:`ET MOBILE MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP`; flow:established,to server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert udderperfection.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert developmentinn.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert cyclivate.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mentoringgroup.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert pouyasazan.org`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ns7 777.777servers.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert adodis.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert www.senorwooly.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert epr co.ch`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert freeb4u.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tecktalk.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tradeledstore.co.uk`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert power2.mschosting.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert businesswebstudios.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert chinasemservice.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert directory92.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert cactussports.com`; flow:established,from server; content:` 55 04 03 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert deslematin.ca`; flow:established,from server; content:` 55 04 03 `; ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert karinejoncas.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert server.abaphome.net`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert twitterbacklinks.com`; flow:established,from server; content:` 55 04 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert July 14 2014`; flow:established,to client; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert 1stopmall.us`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert thelabelnashville.com`; flow:established,from server; content:` 55 04 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert new install.privatedns.com`; flow:established,from server; content: ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linux DDoS bot Antiq IRC`; flow:established,to server; content:`PRIVMSG 20 #`; content:`status checking ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert host galaxy.com`; flow:established,from server; content:` 55 04 03 ...
#alert tcp $HOME NET any $EXTERNAL NET 25,587 (msg:`ET TROJAN KLPROXY Checkin via SMTP`; flow:to server,established; content:`Subject 3a `; content:`C H E G O ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert 66h.66hosting.net`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert disenart.info`; flow:established,from server; content:` 55 04 03 `; ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert faithmentoringandmore.com`; flow:established,to client; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert michaelswinecellar.com`; flow:established,from server; content:` 55 ...
#alert tcp $HOME NET any $EXTERNAL NET 25,26,587,2525 (msg:`ET TROJAN Pain File Stealer sending wallet.dat via SMTP`; flow:to server,established; content:`Subject ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert migsparkle.com`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert yellowdevilgear.com`; flow:established,from server; content:` 55 04 ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Dyreza RAT Checkin Response`; flow:established,to client; content:` a5 46 da 53 0a 00 68 00 65 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert webhostingpad.com`; flow:established,from server; content:` 16 `; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert`; flow:established,to client; content:` 55 04 03 `; content:` 1e static ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert acesecureshop.com`; flow:established,to client; content:` 55 04 03 ...
#alert tcp $EXTERNAL NET any $SMTP SERVERS 25,587 (msg:`ET CURRENT EVENTS .gadget Email Attachment Possible Upatre`; flow:established,to server; content:`Content ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Sharik C2 Incoming Crafted Request`; flow:established,from server; content:` 4d 00 02 02 00 `; ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Bot Command (Proxy command)`; flow:established,from server; flowbits:isset,ET ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Zendran ELF IRCBot Server Banner`; dsize: 14; flow:established,from server; content:` 3a Hell ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)`; flow:established,from server; flowbits ...
#alert tcp $HOME NET any $EXTERNAL NET 1433 (msg:`ET TROJAN AMB SQL Checkin`; flow:established,to server; content:`I 00 N 00 S 00 E 00 R 00 T`; content:`I 00 N ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Backdoor.Unrecom Download`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Metasploit Various Java Exploit Common Class name`; flow:established,from server; flowbits:isset ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Compromised site dfsdirect.ca`; flow:established,to client; content:` 55 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2`; flow:established,from server; flowbits ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Zendran ELF IRCBot Joining Channel 2`; flow:established,to server; content:`PASS eYmUrmyAfG ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert 999servers.com`; flow:established,to client; content:` 55 04 03 `; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)`; flow:established ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ftpchk3.php possible upload success`; flow:to client,established; content:` 0d 0a 150 `; content:`ftpchk3 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site kionic`; flow:established,to client; content:` 55 04 03 `; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site trudeausociety`; flow:established,to client; content:` 12 trudeausociety ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site potpourriflowers`; flow:established,to client; content:` 55 04 03 ...
#alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon`; flow:established,to server; dsize:8; content:`PutToken` ...
#alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN RAT Keep Alive Server Response`; flow:established,from server; dsize:2; content:`/P`; depth:2; flowbits ...
#alert tcp $HOME NET any $EXTERNAL NET 37 (msg:`ET TROJAN RAT SMTP Data Exfiltration`; flow:established,to server; content:`X Mailer 3A SysMon v1.0.0`; reference ...
#alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement`; flow:established,to client; dsize ...
#alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN W32/FakeFlash.Dropper PutInformation CnC Beacon`; flow:established,to server; dsize:18; content:`PutInformation ...
#alert udp $HOME NET any $EXTERNAL NET 53 (msg:`ET TROJAN Ebury SSH Rootkit data exfiltration`; content:` 12 0b 01 00 00 01 `; depth:6; pcre:`/^\x12\x0b\x01\x00 ...
#alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement`; flow:established,to client; dsize:12; content ...
#alert tcp $EXTERNAL NET any $HOME NET 443 (msg:`ET TROJAN RAT FTP File Download Command`; flow:established,to server; dsize: 0; content:`/CD 5C 5C 5C `; depth ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.joggver backdoor initialization packet`; flow:established,to server; dsize:32; content:` 03 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Compromised site iclasshd.net`; flow:established,to client; content:` 55 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DLL in jjencode`; flow:established,from server; file data; content:` 22 5c 5c 5c 5c 5c 5c 5c ...
#alert http any 80 any any (msg:`ET CURRENT EVENTS Win32.RBrute http response`; flow:to client,established; file data; content:`kenji oke 0d 0a `; depth:24; flowbits ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Compromised site sabzevarsez.com`; flow:established,to client; content:` ...
#alert tcp $HOME NET any $EXTERNAL NET 21 (msg:`ET TROJAN FTP File Upload BlackPOS Naming Scheme`; flow:established,to server; content:`STOR `; depth:5; content ...
#alert tcp $HOME NET any $EXTERNAL NET 2012:2014 (msg:`ET TROJAN Win32.Morix.B checkin`; flow:to server,established; content:` 00 00 42 42 43 42 43 `; offset:2 ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 7`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 1`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WinSpy.pob Sending Data over SMTP`; flow:to server,established; content:`filename `; content:`PC Active ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 8`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 3`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp $HOME NET any $EXTERNAL NET 444 (msg:`ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading DLL`; flow:to server,established; content:`SIZE libcurl 4.dll ...
#alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET CURRENT EVENTS Fredcot campaign php5 cgi initial exploit`; flow:to server,established; content:!`Accept ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 5`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Hostile dsgweed.class JAR exploit`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 2`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AALV checkin`; flow:to server,established; content:`CHEGOU NOIS`; fast pattern; content:` 20 7c 20 PLUGIN ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 10`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading VBS`; flow:to server,established; content:`SIZE explore.vbs ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Trojan Downloader Win32.Genome.AV server response`; flow:to client,established; file data; content: ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 9`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site appsredeeem`; flow:established,to client; content:` 12 www.appsredeem ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 6`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 4`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool smart command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool post2 command received key okokokjjk`; flow:established,from server; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.wwwst@Admin Keepalive to CnC`; flow:established,to server; content:` b4 7d 56 44 f3 23 e2 a2 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool post1 command received key okokokjjk`; flow:established,from server; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN SSH Connection on 443 Mevade Banner`; flow:to server,established; content:`SSH 2.0 PuTTY Local 3a ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.xiaoxiaohuli Keepalive to CnC`; flow:established,to server; content:` 4e c3 69 55 10 ad 3f ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.gwx@123 Keepalive to CnC`; flow:established,to server; content:` 6c 6e d3 08 a6 26 34 c7 bf ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool byte command received key okokokjjk`; flow:established,from server; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command Response (Remote Cam)`; flow:to server,established; content:`USB Video Device ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Sakura Java Exploit Recieved Atomic`; flow:established,to client; file data; content:`PK ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.XGstone Keepalive to CnC`; flow:established,to server; content:` ed d2 c6 f2 b9 ca 1e df 5c ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command (Remote Cam)`; flow:from server,established; content:`CAM 7c 27 7c 27 7c ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN VBS.ayr CnC command response`; flow:established,from server; file data; content:`send 3c 7c 3e `; within ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.smallfish Keepalive to CnC`; flow:established,to server; content:` 19 07 1b 24 3b 7a 9d e7 ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command (Remote Desktop)`; flow:from server,established; content:`sc~ 7c 27 7c 27 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool get command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool long command received key okokokjjk`; flow:established,from server; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command Response (File Manager)`; flow:to server,established; content:`rn 7c 27 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool byte command received key okokokjjk`; flow:established,from server; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot CnC1`; flow:established,to server; dsize: Added 2020 11 20 19:36:41 UTC alert ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.keaidestone Keepalive to CnC`; flow:established,to server; content:` 82 ca 6f eb 66 ed 9e 86 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.happyyongzi Keepalive to CnC`; flow:established,to server; content:` ad 4a 6c bb a7 9c 30 3e ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor File Download Response Header`; flow:to server,established; content:` ac 92 4b 04 ff ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response Octal (Outbound)`; flow:established,to client; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.key@123 Keepalive to CnC`; flow:established,to server; content:` ef 80 7b ec 93 e6 92 06 17 ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response (Outbound) 4`; flow:established,to client; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot CnC2`; flow:established,to server; dsize: Added 2020 11 20 19:36:41 UTC alert ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot Botkill command`; flow:established,to server; content:`PRIVMSG `; depth:8; content:`Botkill ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.th3bug Keepalive to CnC`; flow:established,to server; content:` 35 d1 50 14 94 b2 24 ac 9b ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor File Upload Response Header`; flow:to server,established; content:` ac 92 4b 04 ff cf ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.admin@388 Keepalive to CnC`; flow:established,to server; content:` b0 f6 8f d3 1c 2b 0e 50 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN SpamBot CnC Server Configuration File Response`; flowbits:isset,et.stealrat.config; flow:established ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot Download and Execute Scheduled file command`; flow:established,to server; content:`PRIVMSG ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot Flood command`; flow:established,to server; content:`PRIVMSG `; depth:8; content:`Flood ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS DRIVEBY Rawin Java Exploit dubspace.jar`; flow:established,to server; content:`/dubspace ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response (Outbound) 2`; flow:established,to client; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.suzuki Keepalive to CnC`; flow:established,to server; content:` d4 77 eb ff b6 94 cc d1 25 ...
#alert http $HOME NET any 209.139.208.0/23 any (msg:`ET CURRENT EVENTS Scalaxy Java Exploit 10/11/12`; flow:to server,established; content:`/m`; http uri; depth ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Es11 Keepalive to CnC`; flow:established,to server; content:` 89 e7 52 d4 68 64 a7 73 bd 7e ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Self Signed SSL Certificate (John Doe)`; flow:established,from server; content:` 16 03 `; content:` 0b ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN STARSYPOUND Client Checkin`; flow:established,from server; content:` (SY)# `; depth:7; reference:md5 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Base64 Java Exploit Requested /1Digit`; flow:established,to server; urilen:2; content:` ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Incognito Java Exploit Requested /gotit.php by Java Client`; flow:established,to server ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor SysInfo Response header`; flow:to server,established; content:` ac 09 7b 09 4b 2a 92 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Metasploit Java Exploit`; flow:established,to client; file data; flowbits:isset,ET.http ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Self Signed SSL Certificate (Reaserch)`; flow:established,from server; content:` 16 03 `; content:` 0b ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Java Rhino Exploit Attempt evilcode.class`; flow:established,to client; content:`code ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Escaped Unicode Char in Location CVE 2012 4792 EIP (Exploit Specific replace)`; flow:established ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ProxyBox ProxyBotCommand CHECK ME`; flow:established,to server; content:`CHECK ME 0D 0A Port 3a ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN ProxyBox ProxyBotCommand FORCE AUTHENTICATION `; flow:established,to client; content:`FORCE AUTHENTICATION ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor File Manager Response Header`; flow:to server,established; content:` ac 92 4b 04 ff 37 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Generic PDF with NEW PDF EXPLOIT`; flow:established,to client; file data; content:`%PDF`; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown Java Exploit Requested 13 14Alpha.jar`; flow:established,to server; urilen:1619 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit Campaign SetAttribute Java Applet`; flow:established,to client; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN RevProxy ClickFraud MIDUIDEND`; flow:established,to server; dsize:46; content:`MID`; depth:3; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu5 Keepalive to CnC`; flow:established,to server; content:` 13 cb df 56 6f f3 20 08 c2 f1 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu2 Keepalive to CnC`; flow:established,to server; content:` 1c e9 a1 06 39 95 48 0d 64 1f ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host`; flow:established,to server ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Sykipot SSL Certificate serial number detected`; flow:established,to client; content:` 16 `; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu4 Keepalive to CnC`; flow:established,to server; content:` ea a2 0d a1 b4 a9 a2 18 12 34 ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN ZeuS Clickfraud List Delivered To Client`; flow:established,from server; content:` 0d 0a 0d 0a ...
#alert tcp $HOME NET any $EXTERNAL NET 3306 (msg:`ET TROJAN Win32.Parite Checkin SQL Database`; flow:established,to server; content:`SHOW COLUMNS FROM webronaldogyn01 ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN W32/Mentory CnC Server Providing File Info Details`; flow:established,to client; content:` DBINFO ...
#alert tcp $HOME NET 1024: $EXTERNAL NET 1024: (msg:`ET TROJAN Backdoor.Win32.Fynloski.A Command Response`; flow:to server,established; content:`#botCommand%`; ...
#alert tcp $HOME NET $HTTP PORTS $EXTERNAL NET any (msg:`ET TROJAN Cythosia V2 DDoS WebPanel Hosted Locally`; flow:established,from server; content:` 3C title 3E ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu6 Keepalive to CnC`; flow:established,to server; content:` 29 a7 7b 28 9b c5 b8 b6 10 d7 ...
#alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN Possible German Governmental Backdoor/R2D2.A 2`; flow:from client,established; content:`C3PO r2d2 POE ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu3 Keepalive to CnC`; flow:established,to server; content:` 77 1b 13 19 a2 d1 8d a1 b5 05 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Ehy Keepalive to CnC`; flow:established,to server; content:` 19 07 1b 24 3b 7a 9d e7 77 1e ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Emp Keepalive to CnC`; flow:established,to server; content:` 7a 05 61 17 27 f5 09 f9 05 a2 ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PoisonIvy.Eu5 Keepalive from CnC`; flow:established,from server; content:` 3a 62 26 fd 44 34 01 ed a1 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Phoenix Java MIDI Exploit Received`; flow:established,to client; flowbits:isset,ET.http.javaclient ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Dadong Java Exploit Requested`; flow:established,to server; content:`/Gondad.jpg`; nocase; http ...
#alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN Possible German Governmental Backdoor/R2D2.A 1`; flow:from client,established; content:` 11 26 80 7c ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Crimepack Java exploit attempt(2)`; flow:from server,established; file data; content:`PK`; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt applet via file URI param`; flow:established,from server; content:`applet ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution Could be Exploit`; flow:established ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt Request for .id from octal host`; flow:established,to server; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CVE 2011 2110 Flash Exploit Attempt Embedded in Web Page`; flow:established,to client ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Eleonore Exploit Pack exemple.com Request`; flow:established,to server; content:`/exemple.com ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32.Qakbot .cb File Extention FTP Upload`; flow:established,to server; content:`si `; content:`.cb`; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE AdSms XML File From CnC Server`; flow:established,from server; content:``; content:``; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client`; flow:established,to client; flowbits ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit io.exe download served`; flow:established,from server; content:` 3b 20 filename ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt Request for hostile binary`; flow:established,to server; content:` 20 ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32.Qakbot Seclog FTP Upload`; flow:established,to server; content:`seclog `; content:`.kcb`; within ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Phoenix Java Exploit Attempt Request for .class from octal host`; flow:established,to server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt applet via file URI setAttribute`; flow:established,from server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible CVE 2011 2110 Flash Exploit Attempt`; flow:established,to server; content:`GET /`; ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Night Dragon Server Auth to Bot`; flow:established,from server; dsize:29; content:` 00 00 password ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN Night Dragon CMD Shell`; flow:established,to server; content:` 68 57 24 13 00 33 Microsoft`; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown Exploit Pack Binary Load Request`; flow:established,to server; content:`.php?sex `; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE CruseWin XML Configuration File Sent From CnC Server`; flowbits:isset,ET.And.CruseWin; flow ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution Could be Exploit`; flow:established,from ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CHAT General MSN Chat Activity`; flow:established; content:`Content Type 3A `; http header; content:`application ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Driveby Bredolab client exploited by acrobat`; flow:established,to server; content:`?reader ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN HackerDefender.HE Root Kit Control Connection Reply`; flow: established,from server; content:` d0 84 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HackerDefender.HE Root Kit Control Connection`; flow: established,to server; content:` d0 84 ec 77 cf ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Night Dragon CnC Beacon Inbound`; flow:established,from server; dsize:16; content:` 01 50 00 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN perlb0t/w0rmb0t Response 2`; flow:established,to server; flowbits:isset,is proto irc; content:` 3A 02 ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Night Dragon CnC Traffic Inbound 2`; flow:established,from server; dsize:16; content:` 68 57 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Knockbot Proxy Response From Controller`; flow:established,from server; content:` 0d 0a 0d 0a command ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Generic Banker Trojan Downloader Config to client`; flow:established,to client; content:` 0d 0a 0d 0a ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Koobface BLACKLABEL`; flow:established,from server; content: `#BLACKLABEL 0d 0a EXIT`; reference ...
#alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET CURRENT EVENTS Neosploit Exploit Pack Activity Observed`; flow:established,to server; content:`GET ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN JAR Download From Crimepack Exploit Kit`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Koobface C C availability check successful`; flowbits:isset,ET.koobfacecheck; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE Win32/DealPly Configuration File Inbound`; flow:established,from server; content:`200`; http stat code ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M3`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M2`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer CnC Activity`; flow:established,to server; content:`POST`; http method; content:`l dj0 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Amadey CnC Check In`; flow:established,to server; content:`POST`; http method; content:`.php`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant UA Outbound (Ouija x.86)`; flow:established,to server; content:`User Agent 3a 20 Ouija ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Godlua Backdoor Downloading Encrypted Lua`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M1`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M4`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssofiles.online`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl login.online`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`securessl vpn.com`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secure mail.global`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`xmail auth.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`vpn ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secure ssl.online`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`sso ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`webex ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl upgrade.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`sso signon.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`vsecuremail.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`wu signon.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl account.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`xmail ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`securemail ssl.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secure vpn.online`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl secure.online`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`webex cloud.net`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`outlook auth.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secureimailonline.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`itunesrewardscode.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail.online`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail online.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`imail ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`online microsoft update.com`; nocase; isdataat:1 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`hrsurveyservice.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ifileupload.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`internal message.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`mcafee scan.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`mcafeeonlinescanner.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail corp.com`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`hrsurveypro.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`imail secure.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`searscorporategiftcard.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secmail us.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`imail auth.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`securemail data.com`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT MiCasaVerde VeraLite Remote Code Execution Inbound (CVE 2016 6255)`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS ESET Installer`; flow:established,to server; content:`ESET Installer`; http user agent; depth:14 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encrypted mail.global`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR Possible Response for LNKR js file`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE LNKR CnC Activity M3`; flow:established,to server; content:`GET`; http method; content:`/metric/?mid ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encryptedmail.online`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE 2013 3568)`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Tech Support Scam Landing M1 2019 04 15`; flow:established,from server; content:`200`; http stat ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Jenkins RCE CVE 2019 1003000`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET EXPLOIT Attempted Remote Command Injection Inbound (CVE 2018 7841)`; flow:established,to server; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encrypted message.online`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/ProtonBot CnC Response`; flow:established,to client; content:`200`; http stat code; file data; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Jenkins Chained Exploits CVE 2018 1000861 and CVE 2019 1003000 M1`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Belkin Wemo Enabled Crock Pot Unauthenticated Command Injection Outbound (CVE 2019 12780)`; flow:established ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET EXPLOIT Attempted Remote Command Injection Outbound (CVE 2018 7841)`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE LNKR CnC Activity M1`; flow:established,to server; content:`GET`; http method; content:`/optout/set ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT MiCasaVerde VeraLite Remote Code Execution Outbound (CVE 2016 6255)`; flow:established,to server; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Belkin Wemo Enabled Crock Pot Unauthenticated Command Injection Inbound (CVE 2019 12780)`; flow:established ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encrypted mail.center`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Apache CouchDB Remote Code Execution 1`; flow:established,to server; content:`/ users ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN eSentire Cobalt Strike Beacon`; flow:established,to server; content:`GET`; http method; content:` 43 ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Yahoo)`; tls cert issuer; content:`C US`; content:`ST Arizona ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/DanijBot User Agent`; flow:established,to server; content:`Botnet by Danij`; http user agent; fast ...
alert http $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN Win32/Backdoor.Small.ao CnC Checkin`; flow:established,to server; content:`POST`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Kuriyama Loader Checkin`; flow: established, to server; content:`?hwid `; http uri; content ...
alert http $HOME NET any any any (msg:`ET TROJAN PT MALWARE Hacked Mikrotik C2 Request`; flow:established, to server; content:`GET`; http method; content:`/mikrotik ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Bank of America Phishing Landing`; flow:established,to client; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Arkei Stealer Config Download Request`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Google)`; tls cert issuer; content:`C US`; content:`ST Florida ...
alert http any any $HOME NET any (msg:`ET EXPLOIT NUUO OS Command Injection`; flow:to server,established; content:`/handle iscsi.php`; http uri; content:`act discover ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN InfoBot Sending LAN Details`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Arkei Stealer IP Lookup`; flow:established,to server; content:`POST`; http method; content:`Arkei/` ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Oracle America)`; tls cert issuer; content:`C US`; content ...
alert http $EXTERNAL NET any $HOME NET 9080 (msg:`ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE 2018 17173)`; flow:established,to server; content:`GET`; ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Oracle canada)`; tls cert issuer; content:`C canada`; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MICROPSIA Sending JPG Screenshot to CnC with .his Extension`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Nagios XI Remote Code Execution 3`; flow:established,to server; content:`/index.php?cmd submitcommand ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Accept in HTTP POST Possible Alphacrypt/TeslaCrypt`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN LokiBot User Agent (Charon/Inferno)`; flow:established,to server; content:`(Charon 3b 20 Inferno)`; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mokes CnC Keep Alive`; flow:established,to server; urilen:3; content:`GET`; http method; content:`/v1 ...
#alert http any any $HOME NET any (msg:`ET EXPLOIT Unknown Router Remote DNS Change Attempt`; flow:established,to server; urilen:10; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET INFO DNS Query for Suspicious .gdn Domain`; dns query; content:`.gdn`; nocase; isdataat:1,relative; classtype:bad unknown ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Evil Redirector from iframe Sep 29 2015`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MedusaHTTP CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Suspicious HTML Decimal Obfuscated Title Possible Phishing Landing Apr 19 2017`; flow:from server,established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Evil Redirector Sep 29 2015`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE 2017 0199)`; flow:established,from server; flowbits:isset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Trojan Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin`; flow:to server,established; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)`; flow:established,to server; content:`GET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Scarsi Variant CnC Activity`; flow:to server,established; content:`/WP`; http uri; content:`.php ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirect Compromised WP Feb 01 2016`; flow:established,from server; file data; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015`; flow:established,from server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Upatre Download Redirection Dec 18 2014`; flow:established,from server; file data; content: ...
alert http $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN APT Lurker POST CnC Beacon`; flow:established,to server; content:`POST`; http method; content:`.php` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Andromeda Checkin Dec 29 2014`; flow:established,to server; content:`POST`; nocase; http method; content ...
alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET TROJAN BHQtr Dropper CnC Beacon 2`; flow:established,to server; content:`GET`; http method; content:`/do.asp ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan.Bayrob Keepalive`; flow:established,to server; content:`GET`; http method; urilen:9; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sharik/Smoke CnC Beacon 3`; flow:established,to server; urilen:1; pcre:`/^ \x20 \x7e\r\n {0,20} ^\x20 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector IE Requesting Payload Jan 19 2015`; flow:established,to server; content:`GET ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Upatre Redirector Dec 16 2014`; flow:established,from server; file data; content:`PK 03 04 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector Jan 23 2015`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicious Redirect 8x8 script tag URI struct`; flow:established,to server; content: ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Wordpress Slideshow Gallery 1.4.6 Shell Upload`; flow:established,to server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector Dec 16 2014 set`; flow:established,to server; content:`GET`; http method; ...
#alert http $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Upatre IE Redirector Receiving Payload Jan 9 2015`; flow:established,from server; content ...
Number of topics: 500
Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2014-01-10 - JinsuNa?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats