# # $Id: bleeding-all.rules $ # Bleeding Snort rules. # # SID's are 2000000+ to avoid conflicts # # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. # # More information available at www.bleedingsnort.com # # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list # #This is the MASTER list, this includes ALL rules # #************************************************************* # # Copyright (c) 2006, Bleedingsnort.com # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # Added 2006-02-21 after pondering about the current OS/X issue alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT Mac OS/X MIME Header x-unix-mode Tag"; flow:from_server,established; content:"Content-Transfer-Encoding"; nocase; content:"Content-Type"; nocase; within:100; content:"x-unix-mode"; nocase; within:100; classtype:string-detect; reference:url,isc.sans.org/diary.php?storyid=1138; sid:2002813; rev:2;) #by jnorcross #This will false some, but should be minimal. This should be removed in a month or so. Reevaluate on 1/1/07 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host"; flow: established,to_server; pcre:"//.*/w\.php/Ui"; classtype: trojan-activity; sid:2002692; rev:2;) #By david Glosser. This is an experiment. There are a large number of phishing scams # using this login url. We want to see if this is a useful thing to alert on. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT Possible Phishing URL Retrieved"; flow:established,to_server; uricontent:"/LoginMember.do"; nocase; classtype:misc-activity; reference:url,www.millersmiles.co.uk/report/1838; sid:2002747; rev:1;) # The rules below were written in response to an ISC Diary that listed known # evil, poisoning name servers . # Added by Frank Knobbe alert udp $HOME_NET any -> [216.127.88.131,218.38.13.108] 53 (msg: "BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary"; reference:url,isc.sans.org/diary.php?date=2005-03-30; reference:url,isc.sans.org/diary.php?date=2005-03-31; classtype: misc-attack; sid: 2001834; rev:5; ) alert tcp $HOME_NET any -> [209.123.63.168,64.21.61.5,205.162.201.11,217.16.26.148] any (msg: "BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary"; reference:url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001835; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary"; flow: established,to_server; uricontent:"/g7/anticheatsys.php?id=36381"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001836; rev:8; ) # Submitted by Stephane Nasdrovisky alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108"; content:"|da 26 0d 6c|"; classtype: bad-unknown; sid: 2001837; rev:3; ) alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148"; content:"|d9 10 1a 94|"; classtype: bad-unknown; sid: 2001838; rev:2; ) alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11"; content:"|cd a2 c9 0b|"; classtype: bad-unknown; sid: 2001839; rev:2; ) alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr"; content:"|08 62 65 73 74 68 6f 73 74 02 63 6f 02 6b 72 00|"; classtype: bad-unknown; sid: 2001840; rev:2; ) #Matt Jonkman, related to dns poisoning alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 7sir7.com"; content:"|05|7sir7|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001842; rev:5; ) alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 123xxl.com"; content:"|06|123xxl|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001843; rev:5; ) alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain abx4.com"; content:"|04|abx4|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001844; rev:5; ) #from dajackman re incidents.org entry alert tcp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp)"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002670; rev:2;) alert udp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp)"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002672; rev:2;) # Added by Frank Knobbe in preparation for Sober activity #alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - people.freenet.de"; content:"|06|people|07|freenet|02|de"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002712; rev:1; ) #alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - scifi.pages.at"; content:"|05|scifi|05|pages|02|at"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002713; rev:1; ) #alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.pages.at"; content:"|04|home|05|pages|02|at"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002714; rev:1; ) #alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - free.pages.at"; content:"|04|free|05|pages|02|at"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002715; rev:1; ) #alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.arcor.de"; content:"|04|home|05|arcor|02|de"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002716; rev:1; ) #by Blake Hartstein alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/<[a-z][^>]+on[^>]+[^a-z_]window\s*\(\s*\)/i"; reference:url,secunia.com/advisories/15546; reference:url,www.computerterrorism.com/research/ie/ct21-11-2005; reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:5; ) #by Tom at Doctorunix.com #This should be looked at for removal about 1/1/06, this will be evaded soon surely alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT shellbot code injection attempt"; flow: established,from_client; uricontent:"/fbi.gif?&cmd"; nocase; classtype: web-application-attack; sid:2002701; rev:1;) #matt Jonkman from ISC diary entry of 9/21/05 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT Hostile Javascript s_ta_ts.js Requested"; flow:established,to_server; uricontent:"/s_ta_ts.js"; nocase; reference:url,isc.sans.org/diary.php?date=2005-09-21; classtype:suspicious-filename-detect; sid:2002378; rev:2;) # From forum post by merphie. We should remove this around 8/25 or so assuming the threat has passed alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE Current Events OSA4.GIF Detected Possible Trojan.Tooso Infection"; flow:to_server,established; uricontent:"/osa4.gif"; nocase; depth:50; classtype:trojan-activity; sid:2002189; rev: 6;) #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:"ping.180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001397; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001399; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?keyword="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001400; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002001; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002003; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002048; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002099; rev:2; ) #By M Shirk from Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002354; rev:1; ) #Submitted by Joel Esler alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; sid: 2000327; rev:7; ) # #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; sid: 2000934; rev:5; ) #Submitted by Chris Norton alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; sid: 2001447; rev:5; ) #Submitted by cooljay alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; sid: 2001440; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; sid: 2001441; rev:9; ) #By Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; sid: 2001761; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE adservs.com Spyware"; flow: to_server,established; uricontent:"/binaries/relevance.dat"; content:"adservs"; nocase; classtype: policy-violation; sid: 2002740; rev:1; ) #by Matt Jonkman from Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; sid:2002353; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Agent"; flow: to_server,established; uricontent:"/pops=1/site="; nocase; uricontent:"/bnum="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001226; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001228; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001230; rev:6; ) #From Listening Post data #Hits on normal ads, not reporting data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2002304; rev:1; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV2?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001730; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001735; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001318; rev:5; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001450; rev:9; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Access, Likely Spyware"; flow: to_server,established; content:"Host\: app.desktop.ak-networks.com"; nocase; classtype: trojan-activity; sid: 2001528; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; sid: 2001529; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; sid: 2001530; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; sid: 2001737; rev:4; ) #by Matt Jonkman from listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\://"; nocase; classtype:trojan-activity; sid:2002349; rev:1;) #Modified and added to by Matt Jonkman (Original author missing) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000906; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000598; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000907; rev:7; ) #Submitted by Matt Jonkman # As yet unidentified agent, but here's how it came in alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Amex.Ipsrime.com Unknown Malware Download"; flow: to_server,established; uricontent:"/bpc/"; content:".zip"; reference:url,amex.isprime.com; reference:url,www.isprime.com; classtype: trojan-activity; sid: 2000904; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; sid: 2000903; rev:4; ) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; sid: 2000574; rev:7; ) #By John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; sid: 2001885; rev:4;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000366; rev:10; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000367; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000371; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000593; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001198; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001199; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001216; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001339; rev:5; ) #Data from Allison Macfarland alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001576; rev:4; ) #Submitted by Matt Jonkman # Disabling this rule, it needs work. It's hitting on legit ad referrals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; sid: 2001398; rev:5; ) #Matt Jonkman from Spyware listening post data #disabling for now, seems only to be hitting on ad pulls, not a spyware infection #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bidclix.com Spyware"; flow:to_server,established; pcre:"/\/code\/\d+\/\?cb=\d+/Ui"; classtype: trojan-activity; sid:2002198; rev:1;) #Submitted by Allison MacFarlan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; sid: 2001345; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001266; rev:10; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001304; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; sid: 2001501; rev:4; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; sid: 2001451; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; sid: 2001452; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; sid: 2001458; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:10; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2001531; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2002088; rev:3;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; sid: 2001521; rev:8; ) #By Matt Jonkman from Spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1"; flow: to_server,established; pcre:"/\/s\?s=[d+]&u=http/Ui"; classtype: trojan-activity; sid:2002195; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2"; flow: to_server,established; pcre:"/\/sd\?s=[d+]&f=\d/Ui"; classtype: trojan-activity; sid:2002196; rev:1; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001041; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001031; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001032; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001033; rev:5; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001494; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001500; rev:4; ) #Submitted by Jason Haar, modified alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; sid: 2000931; rev:5; ) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; sid: 2001050; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; sid: 2001655; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; sid: 2001658; rev:3; ) #from Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; sid: 2002351; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; sid: 2002352; rev:1;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; sid: 2001456; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; sid: 2001704; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; sid: 2001479; rev:5; ) #from Lance James and Secure Science www.securescience.net -- Thanks Lance! alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; uricontent:"/images/data.php?"; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002774; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\:"; nocase; content:"google.vc"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002765; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host\:"; nocase; content:"pcpeek-webcam-sex.com"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002766; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host\:"; nocase; content:"businessopportunityseeker.biz"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002767; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host\:"; nocase; content:"fesexy.net"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002768; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host\:"; nocase; content:"studiolacase.com"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002769; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; uricontent:"/msits.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002770; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; uricontent:"/msys.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002771; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001453; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001454; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001455; rev:4; ) #From Vernon Stark #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; sid: 2001683; rev:5; ) alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; sid: 2001684; rev:5; ) alert tcp any !20 -> $HOME_NET !25 (msg: "BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; within: 12; classtype: trojan-activity; sid: 2001685; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; sid: 2001733; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002089; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002095; rev:3;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; sid: 2001222; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (payload)"; flow: established,to_server; uricontent:"/in/payload/payload.nfo?"; nocase; classtype: trojan-activity; sid:2002816; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (setup)"; flow: established,to_server; uricontent:"/in/defaults/setup.nfo?"; nocase; classtype: trojan-activity; sid:2002817; rev:1; ) #submitted by John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; sid: 2001884; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; sid: 2001038; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002009; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002010; rev:4; ) #Submitted by Jason Haar #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware EUniverse-thunderdownloads Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"mgmt.svr HTTP"; within: 50; content:"|0d0a|Host|3a|update.thunderdownloads.com"; nocase; within: 300; reference:url,www.pestpatrol.com/pestinfo/e/euniverse.asp; classtype: policy-violation; sid: 2000935; rev:4; ) #By Matt Jonkman, From spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; sid:2002317; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; sid:2002318; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; sid:2002319; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; sid: 2000585; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; sid: 2000582; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; sid: 2001221; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; classtype: trojan-activity; sid: 2001293; rev:7; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference:url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000905; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference:url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000936; rev:5; ) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001710; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001705; rev:6; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Install)"; flow: to_server,established; uricontent:"/checkhttp.htm"; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; sid: 2002840; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; uricontent:"/ping/?shortname="; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; sid: 2002841; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2000599; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001013; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001034; rev:14; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001043; rev:8; ) #From Listening Post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002305; rev:4; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype:policy-violation; sid:2002310; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002306; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002307; rev:3; ) #by Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products StationaryChooser Spyware"; flow: to_server,established; uricontent:"/StationeryChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002858; rev:1; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000025; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000595; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000597; rev:5; ) #Matt Jonkman Rule (depth added by bobkberg) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Claria Data Submission"; flow: to_server,established; content:"gs_trickler"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/gs_trickler/i"; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000596; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306; rev:5; ) #These are for common names of malcode files as seen in common places. #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; sid: 2001850; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; sid: 2002093; rev:2; ) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; sid: 2000514; rev:5; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000519; rev:6; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000520; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; sid: 2001656; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; sid: 2001657; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001659; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001660; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; sid: 2002012; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; sid: 2002013; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000920; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000921; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000922; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000923; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000924; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference:url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; sid: 2000929; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000925; rev:5; ) #from Shirkdog alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Subscription POST"; flow: to_server,established; uricontent:"/hotbar/"; nocase; uricontent:"Subscription.dll?"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2002820; rev:1;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; sid: 2001490; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002090; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002096; rev:4;) # Following are requests from adware served by iframebiz.biz alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - adv***.php"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/adv"; nocase; pcre:"/adv\d+\.php/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002707; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/sploit.anr"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002708; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/loaderadv"; nocase; pcre:"/loaderadv\d+\.jar/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002709; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002710; rev:3;) # Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001793; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001794; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; sid: 2002015; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001308; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Agent Upload"; flow: to_server,established; uricontent:"/conf/xml/"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001336; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001396; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2000927; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2000928; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001395; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001697; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; sid: 2002019; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; sid: 2002016; rev:6; ) #Submitted by Matt Jonkman alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000900; rev:5; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000901; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001015; rev:6; ) alert tcp $HOME_NET any -> any any (msg: "BLEEDING-EDGE Malware JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001679; rev:8; ) alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001654; rev:7;) #Submitted by Jason Haar alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; sid: 2000932; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; sid: 2001340; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001499; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (2)"; flow: to_server,established; uricontent:"/cgi-bin/BW.exe"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001502; rev:6; ) #submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2000902; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001359; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:rl,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001563; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; content:"X-OSSProxy-Person-ID\: "; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001564; rev:3; ) #Info from sgtocanada alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001586; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001587; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001588; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001589; rev:4; ) #Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; sid: 2001409; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE Malware Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; sid: 2001410; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; sid: 2001411; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; flow: to_server,established; content:"/soft/loads/"; nocase; within: 5; content:".exe"; nocase; classtype: trojan-activity; sid: 2001412; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; sid: 2001413; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; sid: 2001414; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; classtype: trojan-activity; sid: 2001415; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; classtype: trojan-activity; sid: 2001416; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype: trojan-activity; sid: 2001417; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype: trojan-activity; sid: 2001418; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; sid: 2001419; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; sid: 2001420; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; sid: 2001421; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; sid: 2001422; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype: trojan-activity; sid: 2001423; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001503; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001508; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001509; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; sid: 2001507; rev:7;) #Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; sid: 2001783; rev:3; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001448; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001481; rev:4;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; sid: 2001666; rev:2; ) #From listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; sid: 2002309; rev:2; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; sid: 2001641; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag="; nocase; classtype: trojan-activity; sid: 2001643; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; sid: 2001644; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; sid: 2001645; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000583; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000584; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000594; rev:4; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; sid:2002094; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference:url,www.2-spyware.com/parasite-my-search-bar.html; classtype:trojan-activity; sid: 2001040; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms101cfg.jsp?"; nocase; classtype:trojan-activity; sid:2002839; rev:1; ) #Matt Jonkman 2/22/05 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; sid: 2001747; rev:5;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype: policy-violation; sid: 2000600; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host)"; flow: to_server,established; pcre:"/Host\:[^\n]*[\.\s]myway.com/i"; classtype: policy-violation; threshold:type limit, track by_src, count 2, seconds 360; sid: 2001663; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:" MyWay"; nocase; classtype: policy-violation; sid: 2001662; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (bin download)"; flow: to_server,established; uricontent:"/images/mywebsearchbar/"; nocase; uricontent:".bin"; nocase; classtype: policy-violation; sid: 2002819; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (general download)"; flow: to_server,established; uricontent:"/mywebsearchbar/"; nocase; classtype: policy-violation; sid: 2002818; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; uricontent:"/barcfg.jsp?"; nocase; content:"MyWebSearchWB"; nocase; classtype: policy-violation; sid: 2002836; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; sid: 2001538; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; sid: 2001539; rev:6; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference:url,www.offeroptimizer.com; classtype: policy-violation; sid: 2001341; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; sid: 2002044; rev:2; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001495; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001496; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001497; rev:3; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; classtype: trojan-activity; sid: 2001444; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2001459; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2002017; rev:4; ) #Matt Jonkman from Spyware Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; sid:2002083; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; sid: 2002194; rev:3; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001445; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001446; rev:6; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference:url,popuptraffic.com; classtype: policy-violation; sid: 2000577; rev:6; ) #By Joel Esler #alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; flow: established; content:"PrintMe"; classtype: bad-unknown; sid: 2001665; rev:3; ) # Submitted by John Stewart, 2/23/2005 alert tcp $HOME_NET any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pynix.dll BHO Activity"; flow: established,to_server; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; reference:url,www.pynix.com; classtype: trojan-activity; sid: 2001748; rev:3; ) #Updated by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; classtype: trojan-activity; sid: 2000024; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Rdxrp.com Traffic"; flow: to_server,established; uricontent:"/rdxr020304.dat"; nocase; classtype: trojan-activity; sid: 2001311; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic)"; flow: to_server,established; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype: trojan-activity; sid: 2001312; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Regnow.com Access"; flow: to_server,established; uricontent:"/softsell/visitor.cgi?"; nocase; uricontent:"affiliate="; nocase; reference:url,www.regnow.com; classtype: trojan-activity; sid: 2001223; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Regnow.com Gamehouse.com Access"; flow: to_server,established; uricontent:"/affiliates/template.jsp?"; nocase; uricontent:"AID="; nocase; reference:url,www.gamehouse.com; classtype: trojan-activity; sid: 2001224; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Salongas Infection"; flow: to_server,established; uricontent:"/sp.htm?id="; classtype: trojan-activity; sid: 2000601; rev:3; ) #By Matt Jonkman from Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 1"; flow: to_server,established; uricontent:"/rd/Clk.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002296; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 2"; flow: to_server,established; uricontent:"/rd/feed/TextFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002297; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 3"; flow: to_server,established; uricontent:"/rd/feed/XMLFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002298; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 4"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002299; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 5"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeedSE.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002300; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 6"; flow: to_server,established; uricontent:"/rd/SearchResults.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002301; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 7"; flow: to_server,established; uricontent:"/rd/jsp/BidRank/index.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002302; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 8"; flow: to_server,established; uricontent:"/SFToolBar.html"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002303; rev:2; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (toolbar)"; flow: to_server,established; uricontent:"/dkprogs/toolbar.txt"; nocase; classtype: trojan-activity; sid: 2001473; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (prog)"; flow: to_server,established; uricontent:"/dkprogs/dktibs.php"; nocase; classtype: trojan-activity; sid: 2001474; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; flow: to_server,established; uricontent:"/xpsystem/commands.ini"; nocase; classtype: trojan-activity; sid: 2001475; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato)"; flow: to_server,established; uricontent:"http\://pizdato.biz"; nocase; classtype: trojan-activity; sid: 2001476; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch)"; flow: to_server,established; uricontent:"http\://www.coolsearch.biz"; nocase; classtype: trojan-activity; sid: 2001477; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe)"; flow: to_server,established; uricontent:"http\://newiframe.biz"; nocase; classtype: trojan-activity; sid: 2001478; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (systime)"; flow: to_server,established; uricontent:"/dkprogs/systime.txt"; nocase; classtype: trojan-activity; sid: 2001480; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (mstask)"; flow: to_server,established; uricontent:"/dkprogs/mstasks3.txt"; nocase; classtype: trojan-activity; sid: 2001483; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (d.exe)"; flow: to_server,established; uricontent:"/x30/d.exe"; nocase; classtype: trojan-activity; sid: 2001484; rev:5; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001540; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".searchmiracle.com"; nocase; within: 35; distance: 1; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; sid: 2001532; rev:8; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; classtype: trojan-activity; sid: 2001533; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; uricontent:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001534; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001535; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (install)"; flow: to_server,established; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001744; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install -- silent.exe"; flow: to_server,established; uricontent:"/silent.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2002091; rev:2; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Relevancy Spyware"; flow: established,to_server; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; sid: 2001696; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host\: content.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; sid: 2001650; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host\: results.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; sid: 2001653; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Sexmaniack Install Tracking"; flow: to_server,established; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; classtype: trojan-activity; sid: 2001460; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000580; rev:5; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000581; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; flow: established,to_server; uricontent:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2001708; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download (agentprefs)"; flow: established,to_server; uricontent:"/agentprefs"; nocase; content:".sah"; nocase; within: 5; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2001709; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Install"; flow: established,to_server; uricontent:"/arcadecash/setup"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2002037; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; flow: established,to_server; uricontent:"/agent"; nocase; uricontent:"/validate"; nocase; content:".sah"; nocase; within: 5; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2002043; rev:3; ) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Shopnav Spyware Install"; flow: to_server,established; uricontent:"/toolbarv3.cgi?UID="; nocase; uricontent:"&version="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; sid: 2002000; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet6/servlet/sbinstservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001016; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet6/servlet/sblogservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001017; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Activity"; flow: to_server,established; uricontent:"/servlet6/jsp/mvc"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001018; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Autoupdate"; flow: to_server,established; uricontent:"/autoupd/rel"; nocase; pcre:"/Host\:/sstart\d+.sidestep.com/i"; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001019; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Update Reporting"; flow: to_server,established; uricontent:"/wutrack.bin?PUID="; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001020; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; uricontent:"/servlet6/servlet/SbStartservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2002821; rev:2; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Install rh.exe"; flow: to_server,established; uricontent:"/install/RH/rh.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001505; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Install"; flow: to_server,established; uricontent:"/install/SE/sed.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001516; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Update"; flow: to_server,established; uricontent:"/data/spv15.dat?v="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001513; rev:5; ) #By Michael Ligh alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1"; flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase; uricontent:"&uId="; nocase; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002675; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2"; flow: to_server,established; content:"sonymusic.com"; nocase; pcre:"User-Agent\:[^\n]+SecureNet[^\n]+Xtra/i"; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002674; rev:2;) #by Blake Hartstein alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM Related -- CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0; reference:url,www.frsirt.com/english/advisories/2005/2454; reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack; sid:2002679; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM -- Uninstaller CLSID"; flow:from_server,established; content:"CLSID"; nocase; pcre:"/1F1EB85B-0FE9-401D-BC53-10803CF880A7|7965A6FD-B383-4658-A8E0-C78DCF2D0E63|9A60A782-282B-4D69-9B2A-0945D588A125|80E8743E-8AC5-46F1-96A0-59FA30740C51/Ri"; reference:url,www.freedom-to-tinker.com/?p=931; reference:url,www.frsirt.com/english/advisories/2005/2493; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; sid:2002680; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE Malware Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent\: Godzilla"; nocase; classtype: trojan-activity; sid: 2001711; rev:3; ) # Submitted by William Salusky # # The following rule has proven useful in detecting unidentified spammer nodes. # You should tweak the rule header according to your network architecture. # Thresholding is optional, but without it in my network this sig would # overwhelm my sensors. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; ) # The following rule assists in the identification of spam when SMTP 220 # responses are seen egressing your network from unusual src ports. # You may want to consider tagging a number of following packets. #alert tcp $HOME_NET !21:587 -> any any (msg: "BLEEDING-EDGE Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; classtype: non-standard-protocol; sid: 2001815; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Speedera Agent"; flow: to_server,established; uricontent:"/io/downloads"; nocase; classtype: trojan-activity; sid: 2001320; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Speedera Agent (Specific)"; flow: to_server,established; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype: trojan-activity; sid: 2001321; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; uricontent:"/updates/database/dbver.php"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; sid: 2002804; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; uricontent:"/updates/database/dbver.dat"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; sid: 2002805; rev:1; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; uricontent:"/download.php?sid="; nocase; content:"spyaxe"; nocase; classtype: trojan-activity; sid: 2002806; rev:1; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spygalaxy.ws Activity"; flow: to_server,established; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; classtype: trojan-activity; sid: 2001489; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Install"; flow: to_server,established; uricontent:"/SpySpotterInstall.cab"; nocase; classtype: trojan-activity; sid: 2001536; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access"; flow: to_server,established; pcre:"/Host\:[^\n]+spyspotter.com/i"; classtype: trojan-activity; sid: 2001537; rev:8; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; sid: 2000587; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SpywareLabs Application Install"; flow: to_server,established; uricontent:"/DistID/BaseInstalls/V"; nocase; content:"User-Agent\:"; nocase; content:"Wise"; within:120; nocase; classtype: trojan-activity; sid: 2001522; rev:6;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; flow: established,to_server; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; sid: 2001570; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; flow: established,to_server; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; sid: 2001571; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Receiving New configuration (update)"; flow: to_server,established; uricontent:"/updatestats/update"; nocase; uricontent:".xml"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001225; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; uricontent:"/updatestats/all_files"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001523; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Code Download"; flow: to_server,established; uricontent:"/updatestats/"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001524; rev:4; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; flow: to_server,established; uricontent:"/memorywatcher.exe"; reference:url,www.memorywatcher.com/eula.aspx; classtype: trojan-activity; sid: 2001442; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; flow: to_server,established; uricontent:"/distribution/questmod-1.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; sid: 2001510; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; flow: to_server,established; uricontent:"/sa/?a="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; sid: 2001514; rev:6;) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity"; flow: established,to_server; uricontent:"/Bundling/SskUpdater"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001731; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Download"; flow: established,to_server; uricontent:"/requestimpression.aspx?ver="; nocase; content:"host="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001992; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Dictionary Download"; flow: established,to_server; uricontent:"/Dictionaries"; nocase; content:".dll"; nocase; within: 10; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001993; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity (ipixel)"; flow: established,to_server; uricontent:"/ipixel.htm?cid="; nocase; content:"&pck_id="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001994; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity (rinfo)"; flow: established,to_server; uricontent:"/rinfo.htm?"; nocase; uricontent:"host="; nocase; uricontent:"action="; nocase; uricontent:"client=SSK"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2002738; rev:1; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; uricontent:"/request/req.cgi?gu="; nocase; uricontent:"&sid="; nocase; uricontent:"&kw="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; sid: 2001997; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; uricontent:"/data/tn.dat?v="; nocase; uricontent:"&sid="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; sid: 2002046; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; uricontent:"/pa/glx.exe"; nocase; classtype: trojan-activity; sid: 2001482; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; uricontent:"/pa/proxyrnd.exe"; nocase; classtype: trojan-activity; sid: 2001485; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; uricontent:"/pr.exe"; nocase; classtype: trojan-activity; sid: 2001486; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Download"; flow: to_server,established; uricontent:"/d4.fcgi?v="; nocase; classtype: trojan-activity; sid: 2001488; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Install (1)"; flow: to_server,established; uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; classtype: trojan-activity; sid: 2001729; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Install (2)"; flow: to_server,established; uricontent:"/tb/loader2.ocx"; nocase; classtype: trojan-activity; sid: 2001734; rev:3; ) #By Matt Jonkman from Spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Tickle.com Spyware"; flow: to_server,established; uricontent:"/forward?sid="; classtype: trojan-activity; reference:url,www.spywareremove.com/removeTickle.html; sid:2002197; rev:1; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Install"; flow: established,to_server; uricontent:"/popengine/POP.CHM"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001886; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Activity (1)"; flow: established,to_server; uricontent:"/adverts/zergio/"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001887; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Activity (2)"; flow: established,to_server; content:"Host\: toolbarpartner.com"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001888; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Jeemp Trojan Download"; flow: established,to_server; uricontent:"/proxyrnd.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001889; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; uricontent:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001890; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Reporting Install"; flow: established,to_server; uricontent:"/installed.php?wm=Zergio"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001893; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Partner Install"; flow: established,to_server; uricontent:"/inst.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001894; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; uricontent:"/mailz.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001895; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spywaremover Activity"; flow: to_server,established; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; sid: 2001520; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Topconverting Spyware Install"; flow: to_server,established; uricontent:"/activex/weirdontheweb_topc.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002004; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Topconverting Spyware Reporting"; flow: to_server,established; uricontent:"/trigger.php?partner="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002040; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; classtype: trojan-activity; sid: 2000588; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; sid: 2000589; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; sid: 2000590; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com Install (1)"; flow: established,to_server; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001646; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com Install (2)"; flow: established,to_server; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001647; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com User Confirming Membership"; flow: established,to_server; uricontent:"/cgi/account.plx?pid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001648; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001334; rev:4; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001335; rev:5; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; uricontent:"/install.php?"; nocase; uricontent:"afid="; nocase; uricontent:"&user_id="; content:"trafficsector"; nocase; classtype: policy-violation; sid: 2002736; rev:1; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Add/Remove"; flow: to_server,established; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype: policy-violation; sid: 2001313; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Agent Updating (1)"; flow: to_server,established; uricontent:"/TbLinkConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2001315; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Agent Updating (2)"; flow: to_server,established; uricontent:"/TbInstConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2001316; rev:6; ) #by Matt Jonkman, data from the Spyware Listening Post alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Transponder Spyware Activity"; flow:established,to_server; uricontent:"/sendROIcookie.cfm?refer="; nocase; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html; sid:2002320; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE UCMore Spyware Reporting"; flow: to_server,established; uricontent:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; sid: 2001995; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; uricontent:"/iis2ucms_getsponsorlinks.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; sid: 2001998; rev:3; ) # Added by Frank Knobbe on 2006-03-12 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; depth:4; nocase; uricontent:"/robots.txt"; nocase; pcre:"/Cookie\:\ +x=[0-9]*\;\ +y=[0-9]+/i"; classtype:unknown; sid:2002856; rev:1;) # These are user agent string from the user agents project: # http://www.bleedingsnort.com/article.php?story=20050303190103553 # These will hit on traffic generated by spyware agents and installers # # The user agent sigs from all types of spyware are consolidated here # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE User-Agent String"; flow:established,to_server; flowbits:isnotset,http.UserAgent; flowbits:noalert; flowbits:set,http.UserAgent; content:"User-Agent\:"; nocase; classtype:string-detect; sid: 2002311; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EXE as User Agent -- Potential Spyware"; flow: established,to_server; flowbits:isset,http.UserAgent; content:"User-Agent\:"; nocase; content:".exe"; within:20; nocase; classtype: trojan-activity; sid: 2002153; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 404Search Spyware User Agent"; flow:established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+404search/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001852; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ESB\(/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001853; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EZULA Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ezula/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001854; rev:11; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+FunWebProducts/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; threshold: type limit, count 1, seconds 360, track by_src; sid: 2001855; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Hotbar/i"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001858; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iefeatsl/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001859; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Kontiki Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Kontiki/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001860; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MGS-Internal-Web-Manager/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001861; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; content:"User-Agent\: ML"; nocase; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001862; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyTotalSearch/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001863; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWay/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001864; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWebSearch/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001865; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Smartpops/Mediaload Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+NSISDL/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001866; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+searchengine2000\.com/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001867; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+sureseeker\.com/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001868; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Sidesearch/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001869; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001870; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Target Saver Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TSA/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001871; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Visicom Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Visicom Toolbar/i"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001872; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Traffic"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Peer Points Manager/i"; classtype: policy-violation; sid: 2001640; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Browser Adv/i"; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001295; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Activity (1)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Apropos/i"; classtype: trojan-activity; sid: 2001703; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Activity (2)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Envolo/i"; classtype: trojan-activity; sid: 2001706; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Enhance My Search Spyware Activity"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+HelperH/i"; classtype: trojan-activity; sid: 2001746; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Agent Traffic"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Gator/i"; classtype: policy-violation; sid: 2000026; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IOKernel/i"; classtype: trojan-activity; sid: 2001498; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyApp/i"; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001492; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IST/"; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001493; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent New Code Download"; flow: established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PeerEnabler/i"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001652; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware User Configuration and Setup Access"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OSSProxy/i"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001562; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"medialoads.com"; nocase; pcre:"/User-Agent\:[^\n]+NSISDL/i"; classtype: trojan-activity; sid: 2001504; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (Bundle)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Bundle/i"; classtype: policy-violation; sid: 2001702; rev:14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (SAH)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SAH Agent/i"; classtype: policy-violation; sid: 2001707; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TIBS/i"; classtype: trojan-activity; sid: 2001487; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Top Converting Agent Activity"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Topconvertingagent/i"; classtype: trojan-activity; sid: 2001732; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula Related Calling Home"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+mez/i"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2000586; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware UCMore Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+UCmore/i"; classtype: trojan-activity; sid: 2001736; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware UCMore Spyware Activity User Agent String"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: EI"; classtype: trojan-activity; sid: 2001996; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Wildtangent Kernel/i"; classtype: trojan-activity; sid: 2001639; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware YourSiteBar Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+istsvc/i"; reference:url,www.ysbweb.com; classtype: trojan-activity; sid: 2001699; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: agent"; nocase; classtype: trojan-activity; sid: 2001891; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thnall)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; classtype: trojan-activity; sid: 2002002; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware User Agent Activity (merong)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MERONG/i"; classtype: trojan-activity; sid: 2002020; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (poller)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: Poller"; nocase; classtype: trojan-activity; sid: 2002005; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (aurareco)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+aurareco\.exe/i"; classtype: trojan-activity; sid: 2002039; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wildmedia Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: update "; nocase; content:!"Antivirus"; within: 9; classtype: trojan-activity; sid: 2002007; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleonPage Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OCSLab AutoUpdater/i"; classtype: trojan-activity; sid: 2002011; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (1)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: IEP"; nocase; classtype: trojan-activity; sid: 2002021; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+wupdsnff\.exe/i"; classtype: trojan-activity; sid: 2002014; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thin)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: thin"; nocase; classtype: trojan-activity; sid: 2002035; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shopathomeselect.com Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WebDownloader/i"; classtype: trojan-activity; sid: 2002038; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware XupiterToolbar Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; classtype: trojan-activity; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; sid: 2002071; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware General Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+thnall1ac\.exe/i"; classtype: trojan-activity; sid: 2002073; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Win32.Stubby Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Stubby/i"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088437; sid: 2002074; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware New.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+New\.net/i"; classtype: trojan-activity; reference:url,www.newdotnet.com; reference:url,www.pcsympathy.com/printout74.html; sid: 2002076; rev:5;) #disabling, it hits on normal traffic from Windows Media Player, and others. Needs more research #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware IEBar Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iebar/i"; threshold: type limit, track by_src, count 1, seconds 360; classtype: trojan-activity; reference:url,castlecops.com/tk1463-IEBAR_DLL.html; sid: 2002077; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SideStep/i"; classtype: trojan-activity; sid: 2002078; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MyWaySearch Products Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWay/i"; classtype: trojan-activity; sid: 2002079; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MySearch Products Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MySearch/i"; classtype: trojan-activity; sid: 2002080; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware IEHelp.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+firestarter/i"; classtype: trojan-activity; sid: 2002097; rev:4;) #New from Chris Taylor and the User agents project alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Alexa Search Toolbar"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Alexa Toolbar/i"; reference:url,www.spywareguide.com/product_show.php?id=418; classtype:trojan-activity; sid:2002166; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat Ext/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002160; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (feat2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat2/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002161; rev:5;) #Disabling, Hits on regular windows update type traffic to sa.windows.com #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (SCAgent)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SCAgent/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002162; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Ezula Update Engine"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: 3a"; nocase; reference:url,www.spywareguide.com/product_show.php?id=9; classtype:trojan-activity; sid:2002163; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; classtype:trojan-activity; sid:2002164; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE IESearch Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Windows SR 2\.0/i"; reference:url,www.spywareguide.com/product_show.php?id=982; classtype:trojan-activity; sid:2002165; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE iWon Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iWonSearchAssistant/i"; reference:url,www.spywareguide.com/product_show.php?id=461; classtype:trojan-activity; sid:2002169; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware -- Wise User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Svcmm Parasite"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+svcmm32\.exe/i"; reference:url,castlecops.com/startuplist-5862.html; reference:url,doxdesk.com/parasite/SvcMM.html; classtype:trojan-activity; sid:2002168; rev:5;) #by bgallia alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave/MarketScore User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WTA_/i"; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; classtype:trojan-activity; sid:2002394; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TPSystem/i"; reference:url,www.miva.com; reference:url,www.findwhat.com; classtype:trojan-activity; sid:2002395; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Travel Update/i"; reference:url,www.miva.com; classtype:trojan-activity; sid:2002396; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Precision Targeting User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+XC_/i"; reference:url,www.precisiontargeting.com; classtype:trojan-activity; sid:2002397; rev:1;) #Extra content check for snort <2.4.3 doesn't support pure not rules alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DelFin Project User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\:"; nocase; content:!"iTunes/"; pcre:"/User-Agent\:[^\n]+Dpi/i"; reference:url,www.delfinproject.com; classtype:trojan-activity; sid:2002398; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DelFin Project User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PromulGate/i"; reference:url,www.delfinproject.com; classtype:trojan-activity; sid:2002399; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TopInstalls User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"Microsoft Internet Explorer"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Web Search User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ST3PS/i"; reference:url,www.websearch.com; classtype:trojan-activity; sid:2002401; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Web Search User Agent 3"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+UtilMind HTTPGet/i"; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; classtype:trojan-activity; sid:2002402; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Context Plus User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PTS/i"; reference:url,www.contextplus.net; classtype:trojan-activity; sid:2002403; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Movies etc User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IOInstall/i"; reference:url,www.movies-etc.com; classtype:trojan-activity; sid:2002404; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Internet Optimizer User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ROGUE/i"; reference:url,www.internet-optimizer.com; classtype:trojan-activity; sid:2002405; rev:1;) #Bob Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE surfaccuracy Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SAcc/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfaccuracy.html; classtype:trojan-activity; sid:2002047; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iDownloadAgent Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iDownloadAgent/"; classtype:trojan-activity; sid:2002739; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Spyaxe Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+spyaxe/"; classtype:trojan-activity; sid:2002807; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Spyaxe Spyware User Agent 2"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+spywareaxe/"; classtype:trojan-activity; sid:2002808; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000306; rev:12; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000307; rev:10; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000308; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; uricontent:"/mmdom.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2001525; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; reference:url,www.lurhq.com/iframeads.html; classtype: trojan-activity; sid: 2001526; rev:8; ) #by Matt Jonkman from Listening Post Data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; sid:2002348; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; uricontent:"/js.vppimage?key="; nocase; classtype:trojan-activity; sid:2002350; rev:1;) # Weatherbug - Dale Handy, PE alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug"; flow: to_server,established; uricontent:"WxAlertIsapi"; nocase; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2001235; rev:9; ) #Submitted by Joel Esler alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"weatherbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2001267; rev:12; ) #by M Shirk alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"wxbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2002364; rev:2;) #Submitted by Matt Jonkman, Tweaks by Bob Grabowsky alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001317; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Webhancer Data Post"; flow: to_server,established; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001677; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Webhancer Agent Activity"; flow: to_server,established; content:"Host\:"; nocase; content:"webhancer.com"; within:30; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001678; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Websearch.com Spyware"; flow: to_server,established; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype: trojan-activity; reference:mcafee,131461; sid: 2001325; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; uricontent:"/1/rdgUS10.exe"; nocase; classtype: trojan-activity; reference:mcafee,131461; sid: 2001517; rev:5; ) #Matt Jonkman from spyware listening post data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Websponsors.com Spyware"; flow:to_server,established; pcre:"/\/v\/s=\d+\/p=\d+\/j=\d+\//Ui"; classtype:trojan-activity; sid:2002204; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; uricontent:"/notifier/config.ini?v="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002036; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; uricontent:"/notifier/updates"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002041; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; flow: to_server,established; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; classtype: trojan-activity; sid: 2001512; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware pool.Westpop.com Spyware Updates"; flow: to_server,established; uricontent:"/vcgi/new01"; nocase; classtype: trojan-activity; sid: 2001897; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000908; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000909; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=clock"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000910; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=weather"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000911; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000912; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000913; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000914; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000915; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=whenusave"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000916; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000917; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000918; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000919; rev:6; ) #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2001443; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Install"; flow: to_server,established; uricontent:"/updatestats/AI_Euro.exe"; nocase; classtype: trojan-activity; reference:mcafee,122249; sid: 2002008; rev:5; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001307; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001309; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001310; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001314; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001322; rev:4; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Windupdates.com Spyware Install"; flow: established,to_server; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; sid: 2001700; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; flow: established,to_server; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; classtype: trojan-activity; sid: 2001701; rev:4; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; uricontent:"/fa/evil.html"; nocase; classtype: trojan-activity; sid: 2001461; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; uricontent:"/fa/?d=get"; nocase; classtype: trojan-activity; sid: 2001462; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http\://xpire.info/i.exe"; nocase; classtype: trojan-activity; sid: 2001463; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; classtype: trojan-activity; sid: 2001464; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; uricontent:"/dl/adv121.php"; nocase; classtype: trojan-activity; sid: 2001466; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; uricontent:"/dl/adv121/x.chm"; nocase; classtype: trojan-activity; sid: 2001467; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; uricontent:"/fa/ied_s7m.chm"; nocase; classtype: trojan-activity; sid: 2001468; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; uricontent:"/fa/x.chm"; nocase; classtype: trojan-activity; sid: 2001469; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; uricontent:"/fa/xpl3.htm"; nocase; classtype: trojan-activity; sid: 2001470; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; flow: to_server,established; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; classtype: trojan-activity; sid: 2001471; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; flow: to_server,established; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; classtype: trojan-activity; sid: 2001472; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Install Code Download"; flow: to_server,established; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; classtype: trojan-activity; sid: 2001491; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; classtype: trojan-activity; sid: 2001541; rev:7; ) #Thanks James Ashton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; uricontent:"/img1big.gif"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; sid: 2000336; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; uricontent:"/cgi-bin/yes.pl"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; sid: 2000337; rev:7; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; classtype: trojan-activity; sid: 2001698; rev:3; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware yupsearch.com Spyware Install -- protector.exe"; flow: to_server,established; uricontent:"/protector.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; sid: 2002092; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware yupsearch.com Spyware Install -- sideb.exe"; flow: to_server,established; uricontent:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; sid: 2002098; rev:2; ) #John Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Adware"; flow: to_server,established; uricontent:"/cl/clientdump"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; sid: 2001947; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Adware 2"; flow: to_server,established; uricontent:"/cl/clienthost"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; sid: 2002735; rev:2; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; uricontent:"/instreport"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; sid: 2002737; rev:2; ) #From Chris Norton. #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Generic Downloader Inbound"; flow:established,to_server; content:"|46 6B 4B 78 48 58 90 76 6C|"; content:"|28 62 77 77|"; classtype: trojan-activity; sid:2002693; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Generic Downloader Outbound"; flow:established,to_server; content:"|46 6B 4B 78 48 58 90 76 6C|"; content:"|28 62 77 77|"; classtype: trojan-activity; sid:2002694; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-901"; classtype: trojan-activity; sid:2002695; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Trojan Bankem Reporting User Activity"; flow:established,to_server; uricontent:"/r.php"; nocase; uricontent:"?phid="; nocase; uricontent:"&ver="; nocase; uricontent:"nn="; nocase; classtype:trojan-activity; sid:2002696; rev:1;) # BugBear #Submitted by Brad Doctor, 3/8/2005, for BugBear@MM alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS - Bugbear@MM virus in SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; sid: 2001764; rev:4; ) alert tcp $HOME_NET any -> any 139 (msg: "BLEEDING-EDGE VIRUS - BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; sid: 2001765; rev:4; ) alert tcp $HOME_NET any -> any 139 (msg: "BLEEDING-EDGE VIRUS - BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; sid: 2001766; rev:4; ) #by Shirkdog alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS London bombing trojan file"; flow: established; content:"London Terror Moovie.avi"; nocase; content:"Checked By Norton Antivirus.exe"; nocase; reference:url,www.theregister.co.uk/2005/07/08/london_bombing_spambot/; classtype:trojan-activity; sid: 2002086; rev:2;) # Agobot/Phatbot #Taken from lurhq.com alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Agobot/Phatbot Infection Successful"; flow: established; dsize: 40; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; reference:url,www.lurhq.com/phatbot.html; classtype: trojan-activity; sid: 2000014; rev:3; ) # Sober #Taken from the Netsquid Rules for Sober.F alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Sober.F Outbound (1)"; flow: established,to_server; content:"Content-Disposition\: attachment\; filename="; content:"NlJhIn5GWj4mcjUifkZaMmpGejZpImom"; nocase; within: 1280; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.f@mm.html?Open; sid: 2001284; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Sober.F Outbound (2)"; flow: established,to_server; content:"Content-Disposition\: attachment\; filename="; content:"dllygSJ+Rlp2YjEiblZtIm4uJlVtaSJu"; nocase; within: 1280; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.f@mm.html?Open; sid: 2001285; rev:7; ) #Submitted by Mark Scott, 11/19/2004, for Sober.I #alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Sober.I - incoming"; flow: established; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html; sid: 2001577; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Sober.I - outbound"; flow: established; content:"Mvrl4gAAAAAAAAAAFBFAABMAQMACIydQQAAAAAAAAAA4AAPAQsBBgAAMAAAABAAAACAAACgsAA"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html; sid: 2001578; rev:10; ) #Submitted by David Maciejak for Sober.J #Disabling, too many falses. Run this if you don't have any time services on port 37 #alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg: "BLEEDING-EDGE VIRUS Possible Sober.j - outbound"; flow: established; reference:url,vil.mcafeesecurity.com/vil/content/v_130130.htm; classtype: trojan-activity; sid: 2001542; rev:6; ) #Submitted by Mark Scott, 2/24/2005, for Sober.K #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Sober.K Worm - incoming"; flow: established; content:"UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50eHQgICAgICAgICAg"; reference:url,secunia.com/search/?search=sober.k; classtype: misc-activity; sid: 2001749; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Sober.K Worm - outgoing"; flow: established; content:"UEsDBAoAAAAAAAAwVTKUjZv16MkAAOjJAABCAAAAZG9jX2RhdGEtdGV4dC50eHQgICAgICAgICAg"; reference:url,secunia.com/search/?search=sober.k; classtype: misc-activity; sid: 2001750; rev:5; ) #Joe Stewart alert tcp $HOME_NET any -> any 25 (msg: "BLEEDING-EDGE VIRUS Sober-style Ehlo - noalert"; flowbits:noalert; flow: established,to_server; dsize: <50; content:"Ehlo"; depth: 4; flowbits:set,SoberEhlo; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; sid: 2001879; rev:6; ) alert tcp $HOME_NET any -> any 25 (msg: "BLEEDING-EDGE VIRUS Sober-style Ehlo followed by SMTP AUTH - noalert"; flowbits:isset,SoberEhlo; flowbits:noalert; flow: established,to_server; content:"AUTH LOGIN"; depth: 10; flowbits:set,SoberAuth; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; sid: 2001880; rev:8; ) alert tcp $HOME_NET any -> any 25 (msg: "BLEEDING-EDGE VIRUS Possible Sober virus attachment Outbound"; flowbits: isset,SoberAuth; flow: established,to_server; content:"application/octet-stream|3b| name="; content:"attachment|3b| filename="; within: 100; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; sid: 2001881; rev:6; ) #Sober-O by Evgeny Pinchuk 5/2/05 alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE WORM Sober.O Attachment Outbound (1)"; content:"yu22ZO3JlK0xpc4ehdlnDqDQLbpUfDGZbm1N1VXPAO"; nocase; reference:url,secunia.com/virus_information/17692/; flow:established,to_server; classtype:misc-activity; sid:2002055; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Sober.O Attachment Inbound (1)"; content:"yu22ZO3JlK0xpc4ehdlnDqDQLbpUfDGZbm1N1VXPAO"; nocase; reference:url,secunia.com/virus_information/17692/; flow:established,to_server; classtype:misc-activity; sid:2002056; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM Sober.O Attachment Outbound (2)"; content:"yu22ZO3JlK0xpc4ehdlnDqDQLbpUfDGZbm1N1VXPAO"; nocase; reference:url,secunia.com/virus_information/17692/; flow:established,to_server; classtype:misc-activity; sid:2001902; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Sober.O Attachment Inbound (2)"; content:"yu22ZO3JlK0xpc4ehdlnDqDQLbpUfDGZbm1N1VXPAO"; nocase; reference:url,secunia.com/virus_information/17692/; flow:established,to_server; classtype:misc-activity; sid:2001903; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE WORM Sober.O Attachment Outbound (3)"; flow: established,to_server; content:"yu22ZO3JlK0xpc4ehdlnDqDQLbpUfDGZbm1N1VXPAO"; nocase; reference:url,secunia.com/virus_information/17692/; classtype: misc-activity; sid: 2002057; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE WORM Sober.O Attachment Inbound (3)"; flow: established,to_server; content:"yu22ZO3JlK0xpc4ehdlnDqDQLbpUfDGZbm1N1VXPAO"; nocase; reference:url,secunia.com/virus_information/17692/; classtype: misc-activity; sid: 2002058; rev:5; ) #By joel ebrahimi. Sober.P 5/6/05 alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Sober.P Outbound (1)"; content:"filename="; pcre:"m/(account_info|autoemail-text|LOL|Fifa_Info-Text|mail_info|okTicket-info|our_secret|_PassWort-Info).zip/"; flow:to_server,established; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html; sid:2002059; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Sober.P Inbound (1)"; content:"filename="; pcre:"m/(account_info|autoemail-text|LOL|Fifa_Info-Text|mail_info|okTicket-info|our_secret|_PassWort-Info).zip/"; flow:to_server,established; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html; sid:2002060; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Sober.P Outbound (2)"; flow: to_server,established; content:"filename="; pcre:"m/(account_info|autoemail-text|LOL|Fifa_Info-Text|mail_info|okTicket-info|our_secret|_PassWort-Info).zip/"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html; sid: 2001913; rev:5; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Sober.P Inbound (2)"; flow: to_server,established; content:"filename="; pcre:"m/(account_info|autoemail-text|LOL|Fifa_Info-Text|mail_info|okTicket-info|our_secret|_PassWort-Info).zip/"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober.o@mm.html; sid: 2001914; rev:5; ) #Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS CME-151 Sober.R SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"j7sBAI+7"; distance:16; within:24; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_136390.htm; sid:2002391; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS CME-151 Sober.R SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"j7sBAI+7"; distance:16; within:24; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_136390.htm; sid:2002392; rev:1;) # Submitted by Mark Scott, 2005-11-21, for Sober.AA worm (.Z,.AG,.X,.Y,.W) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Sober.AA (.Z,.AG,.X,.Y,.W) worm SMTP Outbound"; flow:to_server,established; content:"UEsDBAoAA"; content: "AA"; distance:18; within: 20; content:"wYWNrZ"; distance:18; within:20; reference:url,cme.mitre.org/data/list.html#681; reference:url,www.norman.com/Virus/Virus_descriptions/25962; classtype:trojan-activity; sid: 2002686; rev:3;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Sober.AA (.Z,.AG,.X,.Y,.W) worm SMTP Inbound"; flow:to_server,established; content:"UEsDBAoAA"; content: "AA"; distance:18; within: 20; content:"wYWNrZ"; distance:18; within:20; reference:url,cme.mitre.org/data/list.html#681; reference:url,www.norman.com/Virus/Virus_descriptions/25962; classtype:trojan-activity; sid: 2002687; rev:3;) #by Wes Zuber alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE VIRUS Multiple Time server requests -- Possible Sober Infection"; flags:S; threshold: type threshold, track by_src, count 10, seconds 60; classtype:trojan-activity; reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=1540; sid:2002732; rev:1; ) # Sobig #Unknown submitter - Sobig E-F downloading goodies alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg: "BLEEDING-EDGE VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; sid: 2001547; rev:5; ) # Submitted 2006-01-27 by Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Stinx-N SMTP Outbound"; flow:established,to_server; content:"UEsDBBQA"; content:"K5zOzROu"; distance:5; within:13; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojstinxn.html; reference:url,www.antivirusprogram.se/virusinfo/OutsBot+Family_2855.html; sid:2002793; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Stinx-N SMTP Inbound"; flow:established,to_server; content:"UEsDBBQA"; content:"K5zOzROu"; distance:5; within:13; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojstinxn.html; reference:url,www.antivirusprogram.se/virusinfo/OutsBot+Family_2855.html; sid:2002794; rev:1;) # Spy.Win32.Bancos Trojan #Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Virus Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; sid: 2001726; rev:5; ) # Webber/Berbew #Submitted by Michael Sconzo for Webber/Berbew alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Webber/Berbew Trojan keystroke log upload"; flow: established; content:"id=crutop|26|vvpupkin0="; depth: 20; reference:url,www.lurhq.com/berbew.html; classtype: trojan-activity; sid: 2001303; rev:4; ) # Zafi Virus alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Probable Zafi VIRUS Outbound via SMTP"; flow: to_server; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG"; content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance: 6; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.erkez.a@mm.html; sid: 2000310; rev:8; ) #submitted by Mark Scott, 6/13/2004 for Zafi.B #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Zafi Worm - incoming"; flow: established; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.erkez.b@mm.html; sid: 2001572; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Zafi Worm outgoing detected"; flow: established; content:"Uk5FTDMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAAAAAA"; nocase; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.erkez.b@mm.html; sid: 2001573; rev:10; ) #submitted by Chris Harrington, for Zafi.D alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Zafi.d P2P Infection Attempt (1)"; flow: established; content:"WINAMP 5.7 NEW!.EXE"; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype: trojan-activity; sid: 2001592; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Zafi.d P2P Infection Attempt (2)"; flow: established; content:"ICQ 2005A NEW!.EXE"; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype: trojan-activity; sid: 2001593; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg: "BLEEDING-EDGE VIRUS Zafi.d a.exe file upload"; flow: established; content:"a.exe"; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAFI.D; classtype: trojan-activity; sid: 2001594; rev:5; ) #submitted by Mark Scott 12/14/2004 for Zafi.D, variant attachments #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Zafi.D Worm .zip - incoming detected"; flow: established; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; reference:url,secunia.com/virus_information/13874/; classtype: misc-activity; sid: 2001598; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Zafi.D Worm .zip - outgoing detected"; flow: established; content:"UEsDBBQAAgAAAHaffjEUNysN4S0AAOEtAAATAAAAeG1hc2NhcmQuaWQ"; nocase; reference:url,secunia.com/virus_information/13874/; classtype: misc-activity; sid: 2001599; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Zafi.D Worm .cmd, .com, .pif or .bat - incoming detected"; flow: established; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; reference:url,secunia.com/virus_information/13874/; classtype: misc-activity; sid: 2001600; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Zafi.D Worm .cmd, .com, .pif or .bat - outgoing detected"; flow: established; content:"TVoAAAAAAAAAAAAAUEUAAEwBAgBHSUYhAAAAAAAAAADgAA8"; nocase; reference:url,secunia.com/virus_information/13874/; classtype: misc-activity; sid: 2001601; rev:7; ) # Akak Trojan #Submitted by Joe Stewart, Akak Trojan alert tcp $HOME_NET any -> $EXTERNAL_NET 4321 (msg: "BLEEDING-EDGE Akak trojan protocol hello"; flow: established,to_server; dsize: 4; content:"|89 13 00 00|"; reference:url,www.lurhq.com/akak.html; classtype: trojan-activity; sid: 2001236; rev:4; ) alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Akak trojan protocol response from infected host"; flow: established,to_client; dsize: 4; content:"|6f 17 00 00|"; reference:url,www.lurhq.com/akak.html; classtype: trojan-activity; sid: 2001237; rev:3; ) # Bofra Worm #submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg: "BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001430; rev:8; ) # Dipnet #Submitted by Sven alert tcp $HOME_NET any -> any 15118 (msg: "BLEEDING-EDGE Virus Dipnet infected host response (1)"; flow: established; content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123"; reference:url,www.lurhq.com/dipnet.html; classtype: trojan-activity; sid: 2001739; rev:5; ) alert tcp $HOME_NET any -> any 11768 (msg: "BLEEDING-EDGE Virus Dipnet infected host response (2)"; flow: established; content:"__123_asdasdfdjhsdf_SAFasdfhjsdf_fsd123"; reference:url,www.lurhq.com/dipnet.html; classtype: trojan-activity; sid: 2001740; rev:5; ) #Joel Esler alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg: "BLEEDING-EDGE VIRUS Beaconing DREMN Trojan"; content:"Xm"; nocase; offset: 10; pcre:"/(Xm(A|B)...a{21})/i"; reference:url,www.symantec.com/avcenter/venc/data/trojan.dremn.html; classtype: trojan-activity; sid: 2001911; rev:4; ) alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Answering DREMN Trojan"; content:"|80 00 00 01|"; content:"Xm"; nocase; offset: 10; pcre:"/(Xm(A|B)...aa)/i"; reference:url,www.symantec.com/avcenter/venc/data/trojan.dremn.html; classtype: trojan-activity; sid: 2001912; rev:4; ) # Submitted by Tom Fischer, 2006-01-08 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Dumador Reporting User Activity"; flow:established,to_server; uricontent:"/logger.php?p="; nocase; uricontent:"?machineid="; nocase; uricontent:"&connection="; nocase; uricontent:"&iplan="; nocase; classtype:trojan-activity; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; sid:2002763; rev:1;) #by dajackman alert tcp $HOME_NET any -> 198.173.4.9 $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 198.173.4.9"; flow:to_server,established; uricontent:"/view.php"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html; classtype:trojan-activity; sid:2002355; rev:2;) alert tcp $HOME_NET any -> 66.160.138.149 $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 66.160.138.149"; flow:to_server,established; uricontent:"/view.php"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html; classtype:trojan-activity; sid:2002356; rev:2;) alert tcp $HOME_NET any -> 66.225.221.197 $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 66.225.221.197"; flow:to_server,established; uricontent:"/dma.cgi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html; classtype:trojan-activity; sid:2002357; rev:2;) #By Joe Stewart of Lurhq alert udp any 1025: -> any 10102 (msg: "BLEEDING-EDGE VIRUS Fireby proxy trojan port report"; dsize: 2; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.staprew.b.html; sid: 2001967; rev:4; ) # Reg Quinton mentioned that the trojan apparently uses TCP to communicate. # (Several references seem to confirm that). So we added this below, just to make sure. alert tcp $HOME_NET any -> $EXTERNAL_NET 10102 (msg: "BLEEDING-EDGE VIRUS Fireby proxy trojan port report (TCP)"; flags:S,12; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.staprew.b.html; sid:2002156; rev:2; ) #by Tom Fisher alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Goldun Reporting User Activity"; flow:established,to_server; uricontent:"/data.php?param="; nocase; uricontent:"&socks="; pcre:"/User-Agent\:[^\n]Windows Updater/i"; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; sid:2002775; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Goldun Reporting User Activity 2"; flow:established,to_server; uricontent:"/c.php?phid="; nocase; uricontent:"&ver="; nocase; uricontent:"&nn="; nocase; pcre:"/User-Agent\:[^\n]+z/i"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; sid:2002780; rev:1;) #by dajackman alert tcp $HOME_NET any -> 202.101.43.83 $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home 202.101.43.83"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html; classtype:trojan-activity; sid:2002358; rev:2;) alert tcp $HOME_NET any -> 61.152.93.13 $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home 61.152.93.13"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html; classtype:trojan-activity; sid:2002359; rev:2;) # Hacker Defender Root Kit #By Chris Norton 2/22/05 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Trojan HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes;tag: session, 20, packets; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; sid: 2001743; rev:5; ) # Trojan HaxDoor #Submitted by Tom Fischer, 2006-01-24, modified 2/2/06 on info from chriss alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Haxdoor Reporting User Activity"; flow:established,to_server; uricontent:"/bsrv.php?"; nocase; uricontent:"lang="; nocase; uricontent:"&socksport="; nocase; uricontent:"&httpport="; nocase; uricontent:"&uptimem="; nocase; uricontent:"&uptimeh="; nocase; uricontent:"&uid="; nocase; uricontent:"&ver="; nocase; pcre:"/User-Agent\:[^\n]MSIE 6.0/i"; nocase; classtype:trojan-activity; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; sid: 2002790; rev:3;) #Matt Jonkman alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001959; rev:5; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001960; rev:4; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan -- Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001961; rev:5; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan -- Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001962; rev:5; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001963; rev:5; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001964; rev:5; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001965; rev:5; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan -- Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001966; rev:5; ) #from private list alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE Botnet HTTP Botnet reg"; flow: established; uricontent:"/reg?u="; nocase; content:"&v="; nocase; within: 15; content:"&s="; nocase; within: 15; content:"&su="; nocase; within: 15; content:"&p="; nocase; within: 15; classtype: trojan-activity; reference:url,www.honeynet.org/papers/bots; sid: 2001899; rev:6; ) #5/2/05 aim distributed in some cases, Matt Jonkman alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE BwB Botnet Checkin"; flow: established; uricontent:"/update.php?port="; nocase; content:"&checktime="; nocase; within: 20; content:"&uptime="; nocase; within: 20; content:"&result="; nocase; within: 20; content:"&localip="; nocase; within: 15; content:"&id="; nocase; within: 20; content:"$hash="; nocase; within: 20; classtype: trojan-activity; reference:url,www.honeynet.org/papers/bots; sid: 2001900; rev:5; ) #Joe Stewart from Lurhq alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE TROJAN Possible Bobax trojan infection"; flow: established,to_server; content:"GET /reg|3f|u="; depth: 11; content:"|26|v="; within: 3; distance: 8; reference:url,www.lurhq.com/bobax.html; classtype: trojan-activity; sid: 2001901; rev:3; ) # IE Ilookup Trojan #Submitted by Joseph Gama, for IE Ilookup Trojan alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE IE Ilookup Trojan"; flow: from_server,established; content:"#@~^/gAAAA==@#@&@#@&7lMP\:HVK^P{P[W1Ehn"; content:"#@~^GAIAAA==@#@&\\CMPsX/DD,xPvEU+kmC2"; reference:url,62.131.86.111/analysis.htm; classtype: misc-activity; sid: 2001066; rev:4; ) # IRC Trojan Reporting # # By Erik Fichtner # # Bleeding-Remix :: irc / ircbot detection state machine # compiled from various sources. # thanks to: Joe Stewart of LURHO, Joel Esler, Tomfi. ### Client login process. flowbits needs an OR. ### Client needs to tell the server who they are, join ### join a group, and someone needs to say something to ### someone else. alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC USER command"; flow: to_server,established; content:"USER|20|"; nocase; offset: 0; content:"|203a|"; within: 40; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.user; classtype: misc-activity; sid: 2002023; rev:7; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC NICK command"; flow: to_server,established; content:"NICK|20|"; nocase; offset: 0; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.nick; classtype: misc-activity; sid: 2002024; rev:7; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC JOIN command"; flowbits:isset,irc.nick; flow:to_server,established; content:"JOIN|2023|"; nocase; offset: 0; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.join; flowbits:set,is_proto_irc; classtype: misc-activity; sid: 2002025; rev:6;) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC PRIVMSG command"; flowbits:isnotset,is_proto_irc; flowbits:isset,irc.join; flowbits:isset,irc.user; flow: established; content:"PRIVMSG|203a|"; flowbits: noalert; flowbits:set,is_proto_irc; classtype: misc-activity; sid: 2002026; rev:7;) ### Alternate path to is_proto_irc, Catch PING/PONG. alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC PING command"; flowbits:isnotset,is_proto_irc; flow: from_server,established; content:"PING|203a|"; nocase; offset: 0; flowbits: set,irc.ping; flowbits:noalert; classtype: misc-activity; sid: 2002027; rev:3; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC PONG response"; flowbits:isnotset,is_proto_irc; flowbits:isset,irc.ping; flowbits:noalert; flow: from_client,established; content:"PONG|20|"; nocase; offset: 0; flowbits: set,is_proto_irc; classtype: misc-activity; sid: 2002028; rev:4; ) # Bot potty alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow: to_client,established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within: 40; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002029; rev:5; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential scan/exploit command"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002030; rev:7; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential update/download"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+(http|ftp)\x3a\x2f\x2f/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002031; rev:11; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential DDoS command"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; pcre:"/(floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3)|(syn|udp) ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}|ddos\.(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002032; rev:4; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random Scanner|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:7; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential misc bot commands"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((\.aim\w*|ascanall)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002384; rev:7; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow: established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; tag: host,300,seconds,src; pcre:"/(\.aim\w*|ascanall)\s+\w+/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002386; rev:6; ) # Added commands of another nasty bot #alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG ";nocase; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; flowbits: set,trojan; classtype: trojan-activity; sid:2002363; rev:7; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; flowbits: set,trojan; classtype: trojan-activity; sid:2002385; rev:7; ) #by Jeff Kell #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE TROJAN Potential New Spambot Proxy Control Channel -- Please report hits to bleeding-sigs@bleedingsnort.com"; flow: established,to_server; dsize:3; content:"|050100|"; depth:3; classtype: trojan-activity; sid: 2002669; rev:2; ) # Added 2005-10-04 in response to ISC diary alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Trojan - Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"GET "; nocase; depth:4; pcre:"/\/scr5\.php\?p=\d+&id=\d+/i"; reference:url,isc.sans.org/diary.php?storyid=722; classtype:trojan-activity; sid:2002387; rev:2;) # Submitted 2006-03-05 by Tom Fisher alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Orderjack Reporting User Activity"; flow:established,to_server; uricontent:"options.cgi?user_id="; nocase; uricontent:"&version_id="; nocase; uricontent:"&passphrase="; nocase; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1724/tr_dldr.orderjack.a.html; classtype:trojan-activity; sid:2002854; rev:1;) # Submitted by Brad Doctor alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; sid: 2001919; rev:3; ) alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; sid: 2001920; rev:3; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS - Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; sid: 2001921; rev:3; ) # Submitted by Tom Fischer, 2006-01-07 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN PSW-Agent Reporting User Activity"; flow:established,to_server; uricontent:"/x25.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; sid:2002762; rev:2;) # Psyme Trojan #Submitted by Matt Jonkman for the Psyme Trojan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS Psyme Trojan Download"; flow: to_server,established; uricontent:"/download/IEService215.chm"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html; classtype: trojan-activity; sid: 2000365; rev:7; ) #By Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 26 (msg: "BLEEDING-EDGE VIRUS PWS Banker Trojan Sending Report of Infection"; flow: established,to_server; content:"From\: \"PC ID\:"; nocase; content:"Subject\: INFECTED"; nocase; content:"esta infectado"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html; sid: 2001933; rev:4; ) #by Tom Fischer alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN PWS-LDPinch Reporting User Activity"; flow:established,to_server; uricontent:".php?ut="; nocase; uricontent:"&idr="; nocase; uricontent:"&lang="; nocase; uricontent:"&ver="; nocase; uricontent:"&winver="; nocase; classtype:trojan-activity; sid:2002812; rev:1;) #by Myron Davis alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"BLEEDING-EDGE TROJAN Ransky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; classtype:trojan-activity; sid:2002728; rev:1;) #by Tom Fisher alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN SickleBot Reporting User Activity"; flow:established,to_server; uricontent:"/stat.php?id="; nocase; uricontent:"&ver="; nocase; pcre:"/User-Agent\:[^\n]+SickleBot/i"; classtype:trojan-activity; sid:2002776; rev:1;) #Matt Jonkman, info from Sunbelt Software alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; uricontent:"Srv.SSA-KeyLogger"; classtype:trojan-activity; sid:2002175; rev:1;) #by Mark Tombaugh, analysis at Nepenthesis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN w32agent.dsi Domain Update"; flow:established,to_server; uricontent:"/getgewinnspiel.php?uid="; classtype:trojan-activity; reference:url,nepenthes.sourceforge.net/analysis\:w32agent.dsi; sid:2002782; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN w32agent.dsi Posting Info"; flow:established,to_server; uricontent:"/postgewinnspiel.php"; uricontent:"uid="; classtype:trojan-activity; reference:url,nepenthes.sourceforge.net/analysis\:w32agent.dsi; sid:2002781; rev:2;) #By Tom Fischer alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Win32.Agent Reporting User Activity"; flow:established,to_server; uricontent:".php?phid="; nocase; uricontent:"&ver="; nocase; uricontent:"&lg="; nocase; pcre:"/User-Agent\:[^\n]+z/i"; classtype:trojan-activity; sid:2002792; rev:2;) #by Tom Fischer alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Win32.VB.aie Reporting User Activity"; flow:established,to_server; uricontent:"php?iso="; nocase; uricontent:"&country="; nocase; uricontent:"&proxy="; nocase; uricontent:"&tel="; nocase; uricontent:"&ftp="; nocase; uricontent:"&socks="; nocase; uricontent:"&remote="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; sid:2002857; rev:1;) #by phear alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg: "BLEEDING-EDGE VIRUS AIM Bot im.exe Activity"; flow: established, to_server; content:"JOIN ##aim## n1gg3r"; tag: session, 10, packets; classtype: trojan-activity; sid: 2001905; rev:3; ) #Matt Jonkman, info from Bob Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg: "BLEEDING-EDGE VIRUS AIM Bot Outbound Control Channel Open and Login"; flow: to_server,established; content:"PASS"; nocase; pcre:"/PASS\s.*?\x0d\x0aNICK\s.*?\x0d\x0aUSER\s.*?\s\d\s\d\s\:\S/im"; classtype: trojan-activity; sid: 2001910; rev:3; ) # Atak Worm #Submitted by Michael Sconzo for Atak worm alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Atak.mm Worm Outbound"; flow: to_server,established; content:"Authorized Researcher Only"; content:"filename="; content:".zip"; pcre:"m/(Read the Result\!|Important Data\!)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; classtype: trojan-activity; sid: 2000494; rev:6; ) # Bagle variants #Submitted by Matt Jonkman for Bagel variant 2.jpg # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Bagle Variant Requesting 2.jpg"; reference:url,isc.sans.org/diary.php?date=2004-08-09; content:"2.jpg"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/2\.jpg/i"; flow:established; classtype:trojan-activity; sid:2001061; rev:11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS Bagle Variant Checking In"; flow: established; uricontent:"/spyware.php"; reference:url,vil.nai.com/vil/content/v_127423.htm; classtype: trojan-activity; sid: 2001064; rev:6; ) #Submitted by Michael Sconzo for Bagle.AI alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Bagle.AI Worm Outbound"; flow: to_server,established; content:"filename="; content:""; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary and Music|Animals|foto3 and MP3|fotoinfo|Screen and Music|Lovely animals|Predators|The snake)/"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html; sid: 2000561; rev:12; ) #Submitted by Matt Jonkman for Bagle.AQ alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Bagle.AQ Worm Outbound"; flow: to_server,established; content:"filename="; nocase; pcre:"m/(price2|price_new|price|price_08).zip/i"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; sid: 2001065; rev:7; ) #Submitted by Matt Jonkman for Bagle.AV alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Outbound"; flow: to_server,established; content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; classtype: trojan-activity; sid: 2001390; rev:5; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Beagle.AV Worm Inbound"; flow: to_server,established; content:"filename="; pcre:"m/(price|Price|Joke)\.(exe|scr|cpl|com)/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; classtype: trojan-activity; sid: 2001391; rev:5; ) #Submitted by Mark Scott 01/27/2005 - Bagle.AY, .BJ - Updated 1/31/2005 alert TCP $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS Bagle.BJ -alias .AY, .BC- - download attempt"; flow: established; content:"error.jpg"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/error\.jpg/i"; reference:url,secunia.com/virus_information/14877/; classtype: trojan-activity; sid: 2001695; rev:11; ) alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle.BJ -alias .AY, .BC- worm -.com, exe extensions- - outbound"; flow: established; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; reference:url,secunia.com/virus_information/14902/; classtype: trojan-activity; sid: 2001691; rev:8; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle.BJ -alias .AY, .BC- worm -.com, .exe extensions- - incoming"; flow: established; content:"a2dndGtiYmpiZw0KbGhoZ2dqZmRnZGNkaGdodGZoamhranV1aGhqaGZmaGpoamhnDQpsaGhn"; nocase; reference:url,secunia.com/virus_information/14902/; classtype: trojan-activity; sid: 2001692; rev:7; ) alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle.BJ -alias .AY, .BC- worm -.cpl extension- - outbound"; flow: established; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; reference:url,secunia.com/virus_information/14902/; classtype: trojan-activity; sid: 2001693; rev:7; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle.BJ -alias .AY, .BC- worm -.cpl extension- - incoming"; flow: established; content:"amdoamh5dXRnamtoZnVrdGl5bGhqZ2ZkZmRmZGdoZ2hqeXVydXRpZ2toZmpndHVpdGtnaGp5"; nocase; reference:url,secunia.com/virus_information/14902/; classtype: trojan-activity; sid: 2001694; rev:6; ) #Submitted by Mark Scott, 3/5/2005, for Beagle.BK (changed name from Bagle.BA) alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Beagle.BK - outbound"; flow: established; content:"UmFyIRoHAM+QcwAADQAAAAAAAABQt3QggCgAuDsAAACEAAACcyJzW9y6ZDIdMwgAIAAAAGRk"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.bk@mm.html; classtype: trojan-activity; sid: 2001759; rev:4; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Beagle.BK - incoming"; flow: established; content:"UmFyIRoHAM+QcwAADQAAAAAAAABQt3QggCgAuDsAAACEAAACcyJzW9y6ZDIdMwgAIAAAAGRk"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.bk@mm.html; classtype: trojan-activity; sid: 2001760; rev:5; ) #Submitted by Mark Scott, 3/1/2005, for Bagle.BE downloader alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS Bagle.BE Download attempt"; flow: established,to_server; content:"zo2.jpg"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/zo2\.jpg/i"; reference:url,secunia.com/virus_information/15815/bagle.be/; classtype: trojan-activity; sid: 2001752; rev:6; ) #Submitted by Mark Tombaugh, 3/5/2005, for BagleD1-M alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS BagleDl-M SMTP Outbound"; flow: established,to_server; content:"T9pQXQ1sNbAC/98/FferNn+R2nPBCR8fGhG/1+7j8VY/P0wqMJ+0pdKFqz/vn4oPhgzqj7vq"; reference:url,www.sophos.com/virusinfo/analyses/trojbagledlm.html; classtype: trojan-activity; sid: 2001757; rev:4; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS BagleDl-M SMTP Inbound"; flow: established,to_server; content:"T9pQXQ1sNbAC/98/FferNn+R2nPBCR8fGhG/1+7j8VY/P0wqMJ+0pdKFqz/vn4oPhgzqj7vq"; reference:url,www.sophos.com/virusinfo/analyses/trojbagledlm.html; classtype: trojan-activity; sid: 2001758; rev:3; ) #Taken from the Netsquid Rules for Bagle.I and other variants alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS Beagle User Agent Detected"; flow: to_server,established; dsize: < 150; content:"User-Agent\: beagle_beagle"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; sid: 2001269; rev:11; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Bagle.AI Worm"; flow: to_server,established; content:"filename="; pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|exe|com)/"; pcre:"m/(fotogalary and Music|Animals|foto3 and MP3|fotoinfo|Screen and Music|Lovely animals|Predators|The snake)/"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; sid: 2001292; rev:12; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle Worm"; flow: established; content:"7Ff8i30Ii00MwekCM8DjAvOri00Mg+ED4wLzql/JwggAVYvsV1OLXQyLfQhqGeh1AgAAg8Bh"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; sid: 2001270; rev:7; ) #Submitted by Mark Mcdonagh for W32/Bagle.z@MM alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS W32/Bagle.z@MM Requesting 5.php"; flow: to_server,established; content:"5.php"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/5\.php/i"; reference:mcafee,122415; classtype: trojan-activity; sid: 2001556; rev:10; ) #Submitted by Mark Scott for Bagle Trojan - W32/Bagle.dldr, updated by Frank Knobbe alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS W32/Bagle.dldr Trojan - download attempt"; flow: established; content:"zoo.jpg"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/zoo\.jpg/i"; reference:url,secunia.com/virus_information/13085/; classtype: misc-activity; sid: 2001638; rev:11; ) #Submitted by Mark Scott for generic Bagle (this seems to trip on most Bagles) alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagel - outbound"; flow: established; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html; sid: 2001567; rev:6; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagel - incoming"; flow: established; content:"TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAA"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html; sid: 2001568; rev:6; ) #Submitted by Mark Scott, 5/31/2005, for Bagle.BO or variant alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle.BO or variant - OUTBOUND"; flow: established; content:"UEsDBBQAAAAIABihvzJKS8dUyUYAAACOAAAOAAAAMDFfMDVfMjAwNS5leGXsXAdYVMf2PxtM"; nocase; reference:url,secunia.com/virus_information/18441/; classtype: trojan-activity; sid: 2001952; rev:3; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Bagle.BO or variant - INBOUND"; flow: established; content:"UEsDBBQAAAAIABihvzJKS8dUyUYAAACOAAAOAAAAMDFfMDVfMjAwNS5leGXsXAdYVMf2PxtM"; nocase; reference:url,secunia.com/virus_information/18441/; classtype: trojan-activity; sid: 2001953; rev:3; ) #Submitted by Mark Scott, 6/26/2005, for Bagle.BQ alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.BQ - outbound"; flow:established,to_server; content:"nPBrolMAAACQAAALAAAAZjIyLTAxMy5l"; nocase; reference:url,secunia.com/virus_information/19194/; classtype:trojan-activity; sid:2002051; rev:1;) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.BQ - incoming"; flow:established,to_server; content:"nPBrolMAAACQAAALAAAAZjIyLTAxMy5l"; nocase; reference:url,secunia.com/virus_information/19194/; classtype:trojan-activity; sid:2002052; rev:2;) #Submitted by Mark Scott, 8/11/2005, for Bagle.CC alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - outbound"; flow:established, to_server; content:"VGF4ZXMuZXhl7F"; reference:url,www.viruslist.com/en/alerts?alertid=168511904; classtype:trojan-activity; sid:2002177; rev:2;) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.CC (aka Win32.Bagle.bz, .ca, .cb) - incoming"; flow:established, to_server; content:"VGF4ZXMuZXhl7F"; reference:url,www.viruslist.com/en/alerts?alertid=168511904; classtype:trojan-activity; sid:2002178; rev:2;) #By dajackman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS W32.Beagle.CE@mm Infection Outbound web.php"; flow:to_server,established; uricontent:"/web.php"; threshold: type threshold, count 5, seconds 60, track by_src; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ce@mm.html; classtype: trojan-activity; sid:2002180; rev:2;) # Submitted by Mark Tombaugh, 2005-08-12 - Alternative sigs for 2002177/2002178 #alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS BagleDL-S SMTP Outbound"; flow:to_server,established; content:"AAAJAAAAVGF4ZXMuZ"; content:"TPARI740"; distance:15; within:23; reference:url,www.sophos.com/virusinfo/analyses/trojbagledls.html; classtype: trojan-activity; within:104; sid:2002183; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS BagleDL-S SMTP Inbound"; flow:to_server,established; content:"AAAJAAAAVGF4ZXMuZ"; content:"TPARI740"; distance:15; within:23; reference:url,www.sophos.com/virusinfo/analyses/trojbagledls.html; classtype: trojan-activity; sid: 2002184; rev:2;) # Submitted by Mark Tombaugh, 2005-09-15, for Bagle.BB alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle-BB SMTP Outbound"; flow:to_server,established; content:"UEsDBBQAAAAIA"; content:"XjAAAAQ4AAA"; distance:10; within:22; reference:url,www.sophos.com/virusinfo/analyses/trojdropperbb.html; reference:url,isc.sans.org/diary.php?date=2005-09-12; classtype:trojan-activity; sid:2002367; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle-BB SMTP Inbound"; flow:to_server,established; content:"UEsDBBQAAAAIA"; content:"XjAAAAQ4AAA"; distance:10; within:22; reference:url,www.sophos.com/virusinfo/analyses/trojdropperbb.html; reference:url,isc.sans.org/diary.php?date=2005-09-12; classtype:trojan-activity; sid:2002368; rev:1;) # Submitted by Mark Tombaugh, 2005-09-15, for Bagle.CJ alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.CJ SMTP Outbound"; flow:to_server,established; content:"UEsDBBQAAAA"; content:"EEkIAAAG"; distance:12; within:20; reference:url,isc.sans.org/diary.php?date=2005-09-19; classtype:trojan-activity; sid: 2002372; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.CJ SMTP Inbound"; flow:to_server,established; content:"UEsDBBQAAAA"; content:"EEkIAAAG"; distance:12; within:20; reference:url,isc.sans.org/diary.php?date=2005-09-19; classtype:trojan-activity; sid: 2002373; rev:1;) #By Mark Tombaugh #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.dk SMTP Inbound"; flow:to_server,established; content:"UEsDBBQA"; content:"YT"; distance:8; within:11; content:"AAAA"; distance:8; within:13; reference:url,vil.nai.com/vil/content/v_136751.htm; classtype:trojan-activity; sid:2002665; rev:2;) alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS Bagle.dk SMTP Outbound"; flow:to_server,established; content:"UEsDBBQA"; content:"YT"; distance:8; within:11; content:"AAAA"; distance:8; within:13; reference:url,vil.nai.com/vil/content/v_136751.htm; classtype:trojan-activity; sid:2002666; rev:2;) #by Mark Tombaugh, the Virus King #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.EO or EP Inbound"; flow:to_server,established; content:"UEsDBBQA"; content:"S5leGXtmn"; distance:33; within:35; reference:url,www.f-secure.com/v-descs/bagle_eo.shtml; reference:url,www.f-secure.com/v-descs/bagle_ep.shtml; classtype:trojan-activity; sid:2002688; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.EO or EP Outbound"; flow:to_server,established; content:"UEsDBBQA"; content:"S5leGXtmn"; distance:33; within:35; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/bagle_eo.shtml; reference:url,www.f-secure.com/v-descs/bagle_ep.shtml; sid:2002689; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.ES or ET Inbound"; flow:to_server,established; content:"UEsDBBQA"; content:"TIuZXhl7"; distance:33; within:35; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/bagle_et.shtml; reference:url,www.f-secure.com/v-descs/bagle_es.shtml; sid:2002690; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.ES or ET Outbound"; flow:to_server,established; content:"UEsDBBQA"; content:"TIuZXhl7"; distance:33; within:35; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/bagle_et.shtml; reference:url,www.f-secure.com/v-descs/bagle_es.shtml; sid:2002691; rev:1;) #Submitted by Mark Scott, 2005-11-25 #This trojan is instantiated from the attachment of the Bagel variants of week 2005-11-20 #The Trojan is Trojan.Lodear.D alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Win32.Bagle.f (.AH,.AJ,Trojan.Lodear.D) Trojan Activity - download attempt"; flow:established,to_server; uricontent:"/z.php"; nocase; classtype:trojan-activity; reference:url,www.trendmicro.com.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=TROJ_BAGLE.AH; reference:url,symantec.com/avcenter/venc/data/trojan.lodear.d.html; sid:2002699; rev:2;) #Submitted by Mark Scott, 2005-12-15 #Bagel variant of week 2005-12-15 #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.gen SMTP Inbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU)"; flow:to_server,established; content:"UEsDBBQA"; content:"AAAAUzM3MDAw"; distance:28; content:"ZXhl7ZpnXBP"; distance:4; classtype:trojan-activity; reference:url,isc.sans.org/diary.php?storyid=937; sid:2002726; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.gen SMTP Outbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU)"; flow:to_server,established; content:"UEsDBBQA"; content:"AAAAUzM3MDAw"; distance:28; content:"ZXhl7ZpnXBP"; distance:4; classtype:trojan-activity; reference:url,isc.sans.org/diary.php?storyid=937; sid:2002727; rev:3;) #Submitted by Mark Scott, 2006-02-05, Bagle.fj #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.fj(CME-328) SMTP Inbound"; flow:to_server,established; content:"UEsDBAoAA"; content:"AAA"; distance:24; content:"AAA"; distance:2; content:"AAA"; distance:29; reference:url,cme.mitre.org/data/list.html#328; classtype:trojan-activity; sid:2002797; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Bagle.fj(CME-328) SMTP Outbound"; flow:to_server,established; content:"UEsDBAoAA"; content:"AAA"; distance:24; content:"AAA"; distance:2; content:"AAA"; distance:29; reference:url,cme.mitre.org/data/list.html#328; classtype:trojan-activity; sid:2002798; rev:4;) # Bropia Worm #From Evgeny P alert tcp $HOME_NET any -> $EXTERNAL_NET 6891:6900 (msg: "BLEEDING-EDGE Virus Bropia.F Worm Propagation"; flow: established,to_server; content:"|E1 37 A2 BA 6E 5C 63 8B D6 D1 F7 3C BA 13 16 FD 77 21 5A 5C 17 1B 29 4A 4F 15 A9 29 CF FA 48 3A|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBROPIA%2EF; classtype: misc-attack; sid: 2001715; rev:5; ) # CIA #Submitted by Chris Norton alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Possible CIA download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; classtype: trojan-activity; sid: 2001233; rev:4; ) # Evaman Worm #Submitted by msconzo@tamu.edu alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible Evaman Worm Outbound"; flow: to_server,established; content:"filename="; pcre:"m/(body|message|email|returned|text|document)\.(scr|txt\.scr|html\.scr|outlook\.scr|txt\.exe)/"; reference:url,secunia.com/virus_information/10429/evaman; classtype: trojan-activity; sid: 2000343; rev:9; ) #By Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Forbot-FG SMTP Outbound"; flow:to_server,established; content:"UEsDBAoAAAAAA"; content:"LjP2AVbKEF"; distance:3; within:13; reference:url,www.sophos.com/virusinfo/analyses/w32forbotfg.html; classtype:trojan-activity; sid:2002369; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Forbot-FG SMTP Inbound"; flow:to_server,established; content:"UEsDBAoAAAAAA"; content:"LjP2AVbKEF"; distance:3; within:13; reference:url,www.sophos.com/virusinfo/analyses/w32forbotfg.html; classtype:trojan-activity; sid:2002370; rev:2;) # GDI Exploit #Submitted by Matt Jonkman #alert tcp any any -> any any (msg: "BLEEDING-EDGE GDI Exploit - Worm 1 Successful Execution"; flow: established; content:"USER bawz"; nocase; reference:url,www.easynews.com/virus.txt; classtype: trojan-activity; sid: 2001332; rev:5; ) #by Scott Melnick alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE WORM Possible MSN Worm Exploit php"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".php"; nocase; classtype:misc-activity; sid:2002322; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE WORM Possible MSN Worm Exploit exe"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".exe"; nocase; classtype:misc-activity; sid:2002323; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE WORM Possible MSN Worm Exploit pif"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".pif"; nocase; classtype:misc-activity; sid:2002324; rev:1;) #Specific Kelvir.HI detection on MSN alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE WORM W32.kelvir.HI"; flow: established; content:"X-MMS-IM-"; depth:153; content:"search.php?data="; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html; classtype:misc-activity; sid:2002325; rev:1;) # Korgo Worm #Submitted by Nick Hatch alert tcp $HOME_NET any -> any 445 (msg: "BLEEDING-EDGE Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; classtype: trojan-activity; sid: 2001337; rev:4; ) alert tcp $HOME_NET any -> any any (msg: "BLEEDING-EDGE Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; classtype: trojan-activity; sid: 2001338; rev:5; ) # Submitted by David Glosser on 2005-12-03 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WORM W32.Magflag.A@mm 1"; flow:established,to_server; uricontent:"/winldr.ini"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a@mm.html; sid:2002705; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WORM W32.Magflag.A@mm 2"; flow:established,to_server; uricontent:"/flg.exe"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a@mm.html; sid:2002706; rev:2;) # Maslan #Maslan.C created by Mark Scott, 5/11/2005 alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE Virus Maslan.C - outbound"; flow: established; content:"CW9hpT0pd0ANKXdADSl3QAUYt6ANOXdAC9iH4A2Zd0AL2IcA"; nocase; reference:url,secunia.com/virus_information/13805/; classtype: misc-activity; sid: 2001930; rev:4; ) #alert TCP $EXTERNAL_NET any -> any 25 (msg: "BLEEDING-EDGE Virus Maslan.C - inbound"; flow: established; content:"CW9hpT0pd0ANKXdADSl3QAUYt6ANOXdAC9iH4A2Zd0AL2IcA"; nocase; reference:url,secunia.com/virus_information/13805/; classtype: misc-activity; sid: 2001931; rev:4; ) #Jason Alexander alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg: "BLEEDING-EDGE WORM General MSN Worm URL Attempt"; flow: established,from_server; content:".php?"; nocase; content:"email="; nocase; within: 5; content:"@"; nocase; within: 20; reference:url,isc.sans.org/diary.php?date=2005-04-13; classtype: attempted-admin; sid: 2001247; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg: "BLEEDING-EDGE WORM General MSN Worm URL Outbound"; flow: established,to_server; content:".php?"; nocase; content:"email="; nocase; within: 5; content:"@"; nocase; within: 20; reference:url,isc.sans.org/diary.php?date=2005-04-13; classtype: attempted-admin; sid: 2001878; rev:5; ) # MyDoom variants #Submitted by Matt Jonkman for MyDoom.AH alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639:1640 (msg: "BLEEDING-EDGE WORM MyDoom.AH Victim Accessing Infected Page"; flow: established,to_server; content:"/index.htm"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001428; rev:8; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AH Email Inbound"; flow: established,to_server; content:"tracking number is A866DEC0"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001431; rev:4; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AH Email Inbound"; flow: established,to_server; content:"Hi! I am looking for new friends. I am from Miami, FL."; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001435; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AH Email Outbound (1)"; flow: established,to_server; content:"tracking number is A866DEC0"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001432; rev:5; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AH Email Inbound"; flow: established,to_server; content:"My name is Jane, I am from Miami, FL"; nocase; content:"with my weblog and last webcam photos!"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001433; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AH Email Outbound (2)"; flow: established,to_server; content:"My name is Jane, I am from Miami, FL"; nocase; content:"with my weblog and last webcam photos!"; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001434; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AH Email Outbound (3)"; flow: established,to_server; content:"Hi! I am looking for new friends. I am from Miami, FL."; nocase; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001436; rev:4; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AI Email Inbound"; flow: established,to_server; content:"X-AntiVirus|3a|"; nocase; pcre:"/X-AntiVirus\: (scanned for viruses by AMaViS 0\.2\.1|Checked by Dr\.Web|Checked for viruses by Gordano's AntiVirus)/"; pcre:"/(Look at my homepage with my last webcam photos!|FREE ADULT VIDEO! SIGN UP NOW!)/"; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001437; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE WORM Potential MyDoom.AI Email Outbound"; flow: established,to_server; content:"X-AntiVirus|3a|"; nocase; pcre:"/X-AntiVirus\: (scanned for viruses by AMaViS 0\.2\.1|Checked by Dr\.Web|Checked for viruses by Gordano's AntiVirus)/"; pcre:"/(Look at my homepage with my last webcam photos!|FREE ADULT VIDEO! SIGN UP NOW!)/"; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001438; rev:5; ) #From the Netsquid Rules for MyDoom.F alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE VIRUS MyDoom.F Worm"; flow: to_server,established; content:"gICAgICAgICAgICAgICAgICAg"; content:"|57 69 6E 64 6F 77 73 2D 31 32 35 32|"; classtype: trojan-activity; reference:url,vil.mcafeesecurity.com/vil/content/v_101014.htm; sid: 2001279; rev:6; ) #Submitted by Mark Scott, 1/5/2005, for MyDoom.I alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE Virus MyDoom.I worm - outbound"; flow: established; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype: misc-activity; sid: 2001672; rev:4; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Virus MyDoom.I worm - inbound"; flow: established; content:"zSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgc"; nocase; reference:url,secunia.com/virus_information/8818/; classtype: misc-activity; sid: 2001673; rev:3; ) #From the Netsquid Rules for MyDoom/MiMail alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 1"; flow: to_server,established; content:"represented in 7-bit ASCII"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; classtype: trojan-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print100989.htm; sid: 2001274; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 2"; flow: to_server,established; content:"Mail transaction failed"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; classtype: trojan-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print100989.htm; sid: 2001275; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Outbound 3"; flow: to_server,established; content:"The message contains Unicode characters"; nocase; content:"Content-Type\: application/octet-stream"; nocase; content:"Content-Transfer-Encoding\: base64"; nocase; classtype: trojan-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print100989.htm; sid: 2001276; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS MyDoom/MIMAIL.R Variant Outbound"; flow: to_server,established; content:"We are sorry your UTF-8 encoding is not supported by the server"; nocase; classtype: trojan-activity; reference:url,vil.mcafeesecurity.com/vil/content/v_101014.htm; reference:url,vil.mcafeesecurity.com/vil/content/Print100989.htm; sid: 2001277; rev:8; ) #Taken from Lurhq for MyDoom.m,o alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Mailto domain search possible MyDoom.M,O"; flow: to_server,established; uricontent:"/search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+"; depth: 45; content:"Host\: www.google.com"; reference:url,www.lurhq.com/zindos.html; classtype: trojan-activity; sid: 2001012; rev:5; ) #Submitted by Joel Esler for MyDoom.P alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MyDoom.P Query"; flow: to_server,established; content:"/py/psSearch.py|3f|"; nocase; content:"Host|3a| EMAIL.PEOPLE.YAHOO.COM"; classtype: trojan-activity; reference:url,www.sarc.com/avcenter/venc/data/w32.mydoom.p@mm.html; sid: 2001045; rev:8; ) #Submitted by Matt Jonkman for MyDoom.S alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE WORM MyDoom.S Outbound"; flow: to_server,established; content:"LOL!\;)"; nocase; content:"filename=photos_arc.exe"; nocase; reference:url,www.f-secure.com/v-descs/mydoom_s.shtml; reference:url,isc.sans.org/diary.php?date=2004-08-16; classtype: trojan-activity; sid: 2001196; rev:6; ) # Extended versions of the Myfib signatures posted by LURQH on August 16, 2005 alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip PDF file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".pdf|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002336; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip DOC file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".doc|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002337; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip DWG file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".dwg|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002338; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip SCH file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".sch|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002339; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip PCB file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".pcb|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002340; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip DWT file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".dwt|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002341; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip DWF file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".dwf|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002342; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip MAX file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".max|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002343; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 34330 (msg:"BLEEDING-EDGE WORM Possible Myfip MDB file transfer - IP theft"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|3a 5c|"; distance:5; within:2; content:".mdb|00|"; nocase; within:256; reference:url,www.lurhq.com/myfip.html; classtype:trojan-activity; sid:2002344; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Myfip email incoming - FoxMail 4.0 header"; flow:to_server,established; content:"X-Mailer\: FoxMail 4.0 beta 2"; nocase; reference:url,www.lurhq.com/myfip.html; classtype:string-detect; sid:2002345; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Myfip email incoming - FoxMail 3.11 header"; flow:to_server,established; content:"X-Mailer\: FoxMail 3.11 Release"; nocase; reference:url,www.lurhq.com/myfip.html; classtype:string-detect; sid:2002346; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Possible Myfip email incoming - MIME boundary tag"; flow:to_server,established; content:"_NextPart_2rfkindysadvnqw3nerasdf"; reference:url,www.lurhq.com/myfip.html; classtype:string-detect; sid:2002347; rev:1;) # MySQL Worm #Submitted by unknown #alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE MySQL bot DNS lookup"; content:"landingzone"; nocase; reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; sid: 2001687; rev:5; ) alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE MySQL bot DNS lookup"; content:"|06|zmoker|06|dns2go|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; sid: 2001688; rev:5; ) alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg: "BLEEDING-EDGE Potential MySQL bot scanning for SQL server"; flags: S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; sid: 2001689; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5002:5003 (msg: "BLEEDING-EDGE Potential MySQL bot connecting to IRC server"; flags: S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; sid: 2001690; rev:4; ) # Mytob #Evgeny Pinchuk Mytob 5-9-05 alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Outbound"; flow: established,to_server; content:"GkAWRzRP5MBFtOlRwqi8v"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html; sid: 2001922; rev:4; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.ED email attachment 1 Inbound"; flow: established,to_server; content:"GkAWRzRP5MBFtOlRwqi8v"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html; sid: 2001925; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Outbound"; flow: established,to_server; content:"PVSxbff1mWcbvMEyP7KLn"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html; sid: 2001923; rev:4; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.ED email attachment 2 Inbound"; flow: established,to_server; content:"PVSxbff1mWcbvMEyP7KLn"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html; sid: 2001926; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Outbound"; flow: established,to_server; content:"FxCBYvYtUx1889u4JeD9"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html; sid: 2001924; rev:4; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.ED email attachment 3 Inbound"; flow: established,to_server; content:"FxCBYvYtUx1889u4JeD9"; classtype: misc-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ed@mm.html; sid: 2001927; rev:3; ) #Smetona 6-2-05 alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection / DNS lookup"; content:"|03|irc|0b|blackcarder|03|net"; nocase; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006; classtype: trojan-activity; sid: 2001955; rev:4; ) alert tcp $HOME_NET any -> [195.13.58.92/32,213.251.160.15/32,84.244.5.163/32] 4512 (msg: "BLEEDING-EDGE VIRUS Win32.Mytob.CU Worm Infection"; flags: S+; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43006; classtype: trojan-activity; sid: 2001956; rev:6; ) # Mytob.DI #Submitted by Mark Scott, 6/5/2005 alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.DI - outbound"; flow: established; content:"xjLEhhn6AK4AAA"; reference:url,secunia.com/virus_information/18407/; classtype: trojan-activity; sid: 2001986; rev:4; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.DI - incoming"; flow: established; content:"xjLEhhn6AK4AAA"; reference:url,secunia.com/virus_information/18407/; classtype: trojan-activity; sid: 2001987; rev:4; ) # Mytob.GC #Submitted by Mark Scott, 6/21/2005, for Mytob.GC alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.GC - outbound"; flow: established; content:"K1ryJsALgAAAC4AAB"; reference:url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default; classtype: trojan-activity; sid: 2002049; rev:5; ) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE VIRUS Mytob.GC - incoming"; flow: established; content:"K1ryJsALgAAAC4AAB"; reference:url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default; classtype: trojan-activity; sid: 2002050; rev:4; ) # Mytob.HF #Submitted by Mark Scott, 6/26/2005, for Mytob.HF alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.HF - outbound"; flow:established, to_server; content:"MRGVQfuAAAH7gAAB"; reference:url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default; classtype:trojan-activity; sid:2002053; rev:2;) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.HF - incoming"; flow:established, to_server; content:"MRGVQfuAAAH7gAAB"; reference:url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default; classtype:trojan-activity; sid:2002054; rev:2;) # Mytob.HE #Submitted by Mark Scott, 7/8/2005 alert TCP $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.HE - outbound"; flow:established, to_server; content:"L7R1pk/6IAAP+iAAB"; reference:url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default; classtype:trojan-activity; sid:2002125; rev:1;) #alert TCP $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.HE - incoming"; flow:established, to_server; content:"L7R1pk/6IAAP+iAAB"; reference:url,www.norman.com/Virus/Virus_descriptions/23458/en?show=default; classtype:trojan-activity; sid:2002126; rev:1;) # Mytob.AH # Submitted by Mark Scott, 2005-12-11 #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.AH SMTP Inbound (aka - BQ,AU,BA,F,T-2,T,.gen,AR,-Fam)"; flow:to_server,established; content:"UEsDBAoAAA"; content:"DiZizMa0dHCAP"; distance:3; content:"ZExpYnJhcnlBA"; distance:50; classtype:trojan-activity; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob.ah@mm.html; sid:2002719; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.AH SMTP Outbound (aka - BQ,AU,BA,F,T-2,T,.gen,AR,-Fam)"; flow:to_server,established; content:"UEsDBAoAAA"; content:"DiZizMa0dHCAP"; distance:3; content:"ZExpYnJhcnlBA"; distance:50; classtype:trojan-activity; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob.ah@mm.html; sid:2002720; rev:1;) # Nachi/Phatbot Worm #Taken from the Netsquid Rules alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg: "BLEEDING-EDGE VIRUS Nachi/Phatbot Worm"; flow: to_server,established; content:"|05|"; within: 1; distance: 0; byte_test:1,<,16,3,relative;content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,relative; reference:cve,CAN-2003-0352; reference:bugtraq,8205; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.asp; classtype: attempted-admin; sid: 2001302; rev:5; ) # Netsky Worm #Submitted by Mark Scott, 3/11/2004, for NetSky.C #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Virus NetSky.C Worm - incoming"; flow: to_server,established; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; reference:url,secunia.com/virus_information/557/; classtype: misc-activity; sid: 2001590; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE Virus NetSky.C Worm - outgoing detected"; flow: to_server,established; content:"l0U3BS5DMQVSaWNoL0MxBQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp"; nocase; reference:url,secunia.com/virus_information/557/; classtype: misc-activity; sid: 2001591; rev:8; ) #added by Mark Scott 3/22/2004 for Netsky.P, updated 11-24-2005 #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Netsky.P - SMTP incoming"; flow:to_server,established; content:"4fug4AtAnNIbgBTM"; content:"2luZG93cy"; distance:3; reference:url,secunia.com/search/?search=netsky.p; classtype:misc-activity; sid:2001565; rev:8;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM Netsky.P - SMTP outgoing"; flow:to_server,established; content:"4fug4AtAnNIbgBTM"; content:"2luZG93cy"; distance:3; reference:url,secunia.com/search/?search=netsky.p; classtype:misc-activity; sid:2001566; rev:11;) #submitted by maark Scott, 2005-11-26, Netsky.P - variant 2 #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE WORM Netsky.P (variant 2) - SMTP incoming "; flow:to_server,established; content:"jiB3egHMAAIB"; content:"bnQudHh"; distance:17; reference:url,secunia.com/search/?search=netsky.p; classtype:misc-activity; sid:2002698; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE WORM Netsky.P (variant 2) - SMTP outgoing"; flow:to_server,established; content:"jiB3egHMAAIB"; content:"bnQudHh"; distance:17; reference:url,secunia.com/search/?search=netsky.p; classtype:misc-activity; sid:2002700; rev:2;) #Submitted by Mark Scott, 5/18/2004, for Netsky.Z #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Virus Netsky.Z Worm - incoming detected"; flow: to_server,established; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; nocase; reference:url,secunia.com/virus_information/8911/; classtype: misc-activity; sid: 2001602; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE Virus Netsky.Z Worm - outgoing detected"; flow: to_server,established; content:"aD5jNHc0Y8VoPmNfYGNj3mg+Y9xoPmPfaD5j3Gg/Y75oPmO+dy1j1Wg+YzR3NWPZaD5jZG4"; nocase; reference:url,secunia.com/virus_information/8911/; classtype: misc-activity; sid: 2001603; rev:9; ) #Taken from the Netsquid Rules alert tcp $HOME_NET any -> any 139 (msg: "BLEEDING-EDGE VIRUS Netsky message.zip HEX port 139"; flow: to_server,established; content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; classtype: trojan-activity; reference:url,antivirus.about.com/cs/allabout/a/netskyp_2.htm; sid: 2001280; rev:8; ) alert tcp $HOME_NET any -> any 445 (msg: "BLEEDING-EDGE VIRUS Netsky message.zip HEX port 445"; flow: to_server,established; content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00|"; classtype: trojan-activity; reference:url,antivirus.about.com/cs/allabout/a/netskyp_2.htm; sid: 2001281; rev:8; ) alert tcp $HOME_NET any -> any 1352 (msg: "BLEEDING-EDGE VIRUS Netsky base64 port 1352"; flow: to_server,established; content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; classtype: trojan-activity; reference:url,antivirus.about.com/cs/allabout/a/netskyp_2.htm; sid: 2001282; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Netsky base64 port 25"; flow: established,to_server; content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; classtype: trojan-activity; reference:url,antivirus.about.com/cs/allabout/a/netskyp_2.htm; sid: 2001283; rev:8; ) #by dajackman alert tcp $HOME_NET any -> 200.18.132.166 any (msg:"BLEEDING-EDGE VIRUS W97M.Nometz.A Sending Info Home"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,securityresponse.symantec.com/avcenter/venc/data/w97m.nometz.a.html; classtype:trojan-activity; sid:2002360; rev:1;) # Novarg Worm #Taken from the Netsquid Rules alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; within: 30; distance: 16; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; sid: 2001273; rev:11; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS W32.Novarg.A SCO DOS"; flow: to_server,established; content:"GET HTTP/1.1|0d0a|Host\: www.sco.com|0d0a0d0a|"; offset: 0; depth: 35; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; sid: 2001278; rev:8; ) # Nyxem-D #Submitted 2006-01-17 by Mark Tombaugh #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP inbound"; flow:established,to_server; content:"YmVnaW4gNjY0I"; content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; within:31; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; sid: 2002779; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP outbound"; flow:established,to_server; content:"YmVnaW4gNjY0I"; content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; within:31; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; sid: 2002778; rev:1;) #by Joe Stewart at LURHQ, tweaks by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm/Nyxem infection)"; flow:to_server,established; content:"GET /cgi-bin/Count.cgi?"; depth:23; content:"df="; within:20; content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; classtype:misc-activity; sid:2002788; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Agentless HTTP request to www.microsoft.com (possible BlackWorm/Nyxem infection)"; dsize:92; flow:to_server,established; content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";classtype:misc-activity; sid:2002789; rev:2;) #from isc, by Per Kristian Johnsen of Telenor Security Center alert tcp $HOME_NET any -> any 135:139 (msg:"BLEEDING-EDGE VIRUS Nyxem attempting to copy WINZIP_TMP.exe to shares"; flow:to_server,established; content:"|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|"; reference:url,www.lurhq.com/blackworm.html; reference:url,www.incidents.org/diary.php?date=2006-02-02; classtype:trojan-activity; sid:2002795; rev:1;) # OpaServ Worm #Submitted by Brad Doctor, 3/8/2005, for Opaserv alert tcp $HOME_NET any -> $HOME_NET 139 (msg: "BLEEDING-EDGE VIRUS - W32.Opaserv Worm Infection"; flow: established; content:"|5c 73 63 72 73 76 72 2e 65 78 65|"; reference:url,www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html; classtype: misc-activity; sid: 2001763; rev:4; ) # PHPInclude Worm #Submitted by Matt Jonkman for phpinclude.worm alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus PHPInclude.Worm Inbound Attack"; flow: to_server,established; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; classtype: trojan-activity; sid: 2001614; rev:11; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus PHPInclude.Worm Outbound Attack --LOCAL INFECTION--"; flow: to_server,established; content:"?&cmd=cd%20/tmp\;wget%20"; nocase; content:"perl%20"; nocase; reference:url,www.k-otik.com/exploits/20041225.PhpIncludeWorm.php; classtype: trojan-activity; sid: 2001615; rev:11; ) # Created 2005/08/14 by Frank Knobbe in response to first information posted on ISC alert tcp any any -> any 1024:65535 (msg:"BLEEDING-EDGE WORM Possible MS05-039 PnP worm infection"; flow:established,to_server; content:"get winpnp.exe"; depth:200; nocase; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:trojan-activity; sid:2002185; rev:3;) #matt Jonkman, from full-disclosure post. Unknown variant of upnp worm alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE WORM Possible UPnP Infection - gc.exe download"; flow:to_server,established; uricontent:"/gc.exe"; nocase; classtype:trojan-activity; sid:2002190; rev: 2;) # Rbot trojan #Submitted by Christopher Harrington for RXBOT/RBOT alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE RXBOT / RBOT Exploit Report"; flow: established; content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; classtype: trojan-activity; sid: 2001220; rev:5; ) alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE RXBOT / RBOT Vulnerability Scan"; flow: established; content:"|2E|advscan|20|"; nocase; reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.GL; reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning; classtype: trojan-activity; sid: 2001184; rev:4; ) #Submitted by Jason Alexander for RBOT BestFriends.scr #alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE WORM RBOT inbound Bestfriends.scr"; flow: established; content:"http"; nocase; content:"bestfriends.scr"; nocase; within: 80; classtype: trojan-activity; reference:url,spree.mnin.org/forums/viewtopic.php?t-104; sid: 2001367; rev:4; ) #Submitted by Chris Norton for Rbot.Gen alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg: "BLEEDING-EDGE Worm Rbot.Gen Infection Attempt"; flowbits:isnotset,tagged; content:"|4d 45 4f 57|"; nocase; offset: 122; depth: 4; content:"|cc cc cc cc|"; nocase; tag: host,5,packets,src; flowbits: set,tagged; reference:url,www.f-secure.com/v-descs/rbot.shtml; classtype: trojan-activity; sid: 2001554; rev:5; ) #Submitted by James Riden for bot activity alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80 (msg: "BLEEDING-EDGE Virus Bot Reporting Scan/Exploit"; flow: to_server,established; content:"PRIVMSG"; nocase; within: 80; tag: session, 20, packets; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; classtype: trojan-activity; sid: 2001584; rev:5; ) alert tcp $EXTERNAL_NET !21:443 -> $HOME_NET !80 (msg: "BLEEDING-EDGE Virus Bot Reporting/Commencing DDoS"; flow: to_server,established; content:"PRIVMSG"; nocase; within: 80; tag: session, 20, packets; pcre:"/ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3|syn|ack|random)/i"; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; classtype: trojan-activity; sid: 2001676; rev:6; ) #by M Shirk alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE VIRUS HTTP Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; classtype: trojan-activity; sid: 2001985; rev:5; ) #by dajackman alert tcp $HOME_NET any -> 69.64.49.207 $HTTP_PORTS (msg:"BLEEDING-EDGE WORM W32.Reatle.I@mm Downloading Spybot.Worm"; flow:established,to_server; uricontent:"/proto.com"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.reatle.i@mm.html; classtype:trojan-activity; sid:2002326; rev:3;) # Santy Worm #Taken from Dshield for Santy.A alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Virus Possible santy.A Worm Defaced Page"; flow: from_server,established; content:"This site is defaced!!!"; nocase; content:"NeverEverNoSanity WebWorm generation X"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.html; sid: 2001607; rev:5; ) #Submitted Erik Fichtner for Santy.B alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus Santy.B worm variants searching for targets (1)"; flow: to_server,established; content:"GET"; nocase; offset: 0; depth: 3; content:"/search|3f|q=inurl|3a2a|.php|3f2a|="; nocase; pcre:"/\d+&start=\d+/iR"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.b.html; sid: 2001617; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus Santy.B worm variants searching for targets (2)"; flow: to_server,established; content:"GET"; nocase; offset: 0; depth: 3; content:"/search|3f|"; nocase; content:"q=inurl|3a|"; nocase; content:".php|3f|"; nocase; within: 10; pcre:"/&start=\d+/i"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.b.html; sid: 2001618; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Virus Santy.B worm variants searching for targets (yahoo)"; flow: to_server,established; content:"GET"; nocase; offset: 0; depth: 3; content:"/search|3f|"; nocase; content:"p=inurl|3a|"; nocase; content:".php|3f2a|="; nocase; within: 10; content:"&ei=UTF-8&fl=0&all=1&pstart=1&b="; nocase; pcre:"/\d+/iR"; pcre:"/\d+/iR"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/perl.santy.b.html; sid: 2001619; rev:8; ) # Sasser Worm #Submitted by Lin Zhong for Sasser variants alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS W32/Sasser.worm.a -NAI-)"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid: 2001057; rev:5; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS W32/Sasser.worm.b -NAI-)"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid: 2001056; rev:5; ) alert tcp any any -> any 5554 (msg: "BLEEDING-EDGE VIRUS Sasser FTP Traffic"; flow: to_server,established; content:"up.exe"; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid: 2000040; rev:3; ) alert tcp any any -> any 9996 (msg: "BLEEDING-EDGE VIRUS Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:2000047; rev:3; ) alert tcp $HOME_NET any -> any 445 (msg: "BLEEDING-EDGE VIRUS Sasser/Korgo Worm"; flow: to_server,established; flowbits: isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; nocase; offset: 4; depth: 4; content:"|05|"; distance: 59; content:"|00|"; within: 1; distance: 1; content:"|09 00|"; within: 2; distance: 19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype: attempted-admin; sid: 2001286; rev:11; ) #Submitted by Joe Stewart for Sasser FTP exploit alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg: "BLEEDING-EDGE VIRUS Sasser FTP exploit attempt"; flow: to_server,established; dsize: >150; content:"PORT "; depth: 5; reference:url,www.lurhq.com/dabber.html; classtype: attempted-admin; sid: 2001548; rev:4; ) # Small Trojan #Submitted by Chris Norton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Win32/Small.AR outbound activity"; flow: to_server,established; uricontent:"/zosman/cia/index.php"; classtype: trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojsmallar.html; sid: 2001234; rev:7; ) # Stdbot #Taken from the Netsquid Rules stdbot variants alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE VIRUS W32/Stdbot.worm.a"; content:"|28 0E 49 8D B5 17 B9 6C 4C 70 B5 41 7B 72 C0 EF 24 35 8D 31 F6 8B 25 40 B4 1C EC 75 C9 A7 BF 93|"; classtype: trojan-activity; reference:mcafee,125306; sid: 2001287; rev:8; ) alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE VIRUS W32/Stdbot.worm.b"; content:"|FE 26 B9 92 CB 12 FC FA FF 8E 01 3B D0 05 0B 39 BC 6D 61 57 58 C2 89 D9 C2 DA 22 0F 86 74 03 76|"; classtype: trojan-activity; reference:mcafee,125306; sid: 2001288; rev:8; ) # Suspicious Extensions #Snort.org rule 721 scaled back a bit by Matt Jonkman to not hit on xls, vcf, ppt, rtf, dot, or pdf. #If you use this rule disable 721 in the snort sets. This rule will hit on the following: # # ade, adp, asd, asf, asx, bat, bas, chm, cli, cmd, com, crt, cpl, cpp, diz, dll, ebs, emf, eml, exe, fol, folder, hlp, hsq, hta, ini, inf, ins, # isp, js, jse, lnk, mda, mdb, mde, mdw, mdz, mht, mhtm, msi, msc, msg, msp, mst, nws, ocx, pcd, pif, pl, pls, plc,plx, pm, pot, rar, # reg, scr, sct, shs, swf, sys, url, vb, vbe, vbs, vxd, wmd, wmf, wms, wmz, wpm, wps, wpz, wsc, wsf, wsh, xlt, xlw, zip # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS OUTBOUND Suspicious Email Attachment"; flow: to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype: suspicious-filename-detect; sid: 2000562; rev:9; ) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; sid: 2001046; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; sid: 2001047; rev:3; ) # Swen Worm #Taken from the Netsquid rules alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS SWEN.A Worm detected"; flow: to_server,established; content:"|54|VqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAA"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html; sid: 2001268; rev:6; ) # This file should hold any unknown or yet to be named Worms # Added by Frank Knobbe (hastily after reading an ISC Diary) alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Unknown Yahoo Messenger Worm DNS lookup"; content:"|0C|yahoo-secret|06|tripod|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-20; classtype: trojan-activity; sid: 2001799; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE Unknown Yahoo Messenger Worm URL access"; flow: established; content:"GET"; nocase; depth: 3; content:"yahoo-secret.tripod.com"; nocase; within: 300; reference:url,isc.sans.org/diary.php?date=2005-03-20; classtype: trojan-activity; sid: 2001800; rev:5; ) # VBSun Worm #Submitted by Matt Jonkman #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm INCOMING"; flow: established,to_server; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; classtype: trojan-activity; sid: 2001680; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE Virus VBSun.A Tsunami Scam Worm OUTBOUND"; flow: established,to_server; content:"Tsunami Donation! Please help!"; nocase; content:"Please help us with your donation and view the attachment below!"; nocase; content:"filename="; nocase; content:"tsunami.exe"; nocase; reference:url,www.sophos.com/virusinfo/articles/vbsuna.html; classtype: trojan-activity; sid: 2001681; rev:4; ) #from Jack Pepper alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB shell bot perl code download"; flow:to_client,established; content:"# ShellBOT"; nocase; classtype:trojan-activity; sid:2002683; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB Shell Bot Code Download"; flow:to_client,established; content:"##################### IRC #######################"; nocase; classtype:trojan-activity; sid:2002684; rev:1;) #By merphie. Please test this out, it should work on NT domains and 98. Disabled by default #alert udp $HOME_NET any -> $HOME_NET 137 (msg: "BLEEDING-EDGE POLICY Administrator Login Detected"; content:"ebeeenejeoejfdfefcebfeepfc"; nocase; classtype: policy-violation; sid: 2001806; rev:2; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE AOL Webmail Message Send"; flow: to_server,established; uricontent:"/compose_frame.adp"; content:"POST"; classtype: policy-violation; sid: 2000571; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE AOL Webmail Login"; flow: to_server,established; uricontent:"/login/login.psp?siteId="; content:"triedAimAuth"; classtype: policy-violation; sid: 2000572; rev:4; ) #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Executable and linking format (ELF) file download"; flow: established; content:"|7F|ELF"; content:"|00 00 00 00 00 00 00 00|"; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000418; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; classtype: misc-activity; sid: 2000419; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE REG files version 4 download"; flow: established; content:"REGEDIT4"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000420; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000421; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; classtype: misc-activity; sid: 2000422; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000423; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000424; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; classtype: misc-activity; sid: 2000425; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000426; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex;content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; classtype: misc-activity; sid: 2000428; rev:7; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000489; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; classtype: misc-activity; sid: 2000429; rev:6; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE MSI (microsoft installer file) download"; flow: established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype: bad-unknown; sid: 2001115; rev:3; ) #Idea by David Glosser, sig by Matt Jonkman alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:2;) alert ip [50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5,120.0.0.0/8,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:3;) alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;) # #This is for reserved internal space. Do NOT run this sig on your internal net, commented out by default. #alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY Reserved Internal IP Traffic"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002752; rev:2;) #Submitted by Matt Jonkman alert tcp $HOME_NET 23 -> any any (msg: "BLEEDING-EDGE Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; classtype: not-suspicious; sid: 2001239; rev:4; ) alert tcp $HOME_NET 23 -> any any (msg: "BLEEDING-EDGE Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; classtype: not-suspicious; sid: 2001240; rev:4; ) #By Cory Bys, Particle.bored. # These are going to increase load on a snort process, and are NOT FOOLPROOF. But they may help reveal issues # with informaion flow. NOTE: These will not detect classified UUEncoded docs (email attachments) etc. # # Email # # Non-US Restricted #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002410; rev:1;) # # Non-US Confidential #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002411; rev:1;) # # Non-US Top Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002412; rev:1;) # # Non-US Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002414; rev:1;) # # NATO Confidential Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002415; rev:1;) # # NATO Confidential #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002416; rev:1;) # # NATO COSMIC Top Secret Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002417; rev:1;) # # NATO Secret Atomal #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002418; rev:1;) # # NATO Secret #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002419; rev:1;) # # US Confidential, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002420; rev:1;) # # US Top Secret, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002421; rev:1;) # # US Secret, Electronic Format #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002422; rev:1;) # # US Confidential Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002423; rev:1;) # # US Top Secret Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002424; rev:1;) # # US Secret Authorized for Release To #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002426; rev:1;) # # US Top Secret Comint #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002427; rev:1;) # # US Secret Comint #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002429; rev:1;) # # US Confidential Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002430; rev:1;) # # US Top Secret Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002431; rev:1;) # # US Secret Communications Security Material #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002434; rev:1;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002436; rev:1;) # # US Secret Talent Keyhole #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002438; rev:1;) # # US For Official Use Only #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002439; rev:1;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002440; rev:1;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002441; rev:1;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002443; rev:1;) # # US Top Secret Originator Controlled #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002444; rev:1;) # # US Secret Originator Controlled #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002446; rev:1;) # # US Confidential Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002447; rev:1;) # # US Top Secret Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;) # # US Secret Proprietary Information #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002450; rev:1;) # # US Top Secret Restricted Data #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002451; rev:1;) # # US Secret Restricted Data #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002453; rev:1;) # # US Confidential Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002454; rev:1;) # # US Top Secret Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002455; rev:1;) # # US Secret Special Category #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002457; rev:1;) # # The word "private" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002458; rev:1;) # # The word "restricted" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002463; rev:1;) # # The word "sensitive" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(? $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002465; rev:1;) # # The word "protected" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002466; rev:1;) # # The phrase "law enforcement sensitive" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002467; rev:1;) # # The phrase "internal use only" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002468; rev:1;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002469; rev:1;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002470; rev:1;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002471; rev:1;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002472; rev:1;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002473; rev:1;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2)?)|(v[167][0-9]\.[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002474; rev:1;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002475; rev:1;) # # Japan Credit Bureau Credit Card Number #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002477; rev:1;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002483; rev:1;) # # The word "appraisal" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002484; rev:1;) # # The phrase "account balance" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002485; rev:1;) # # The phrase "payment history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002486; rev:1;) # # The phrase "annual income" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002487; rev:2;) # # The phrase "credit history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002488; rev:1;) # # The phrase "transaction history" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002489; rev:1;) # # The phrase "customer list" #alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002490; rev:1;) ########################################## # # HTTP POST # # Non-US Restricted #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002495; rev:2;) # # Non-US Confidential #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002496; rev:2;) # # Non-US Top Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002497; rev:2;) # # Non-US Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002499; rev:2;) # # NATO Confidential Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002500; rev:2;) # # NATO Confidential #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002501; rev:2;) # # NATO COSMIC Top Secret Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002502; rev:2;) # # NATO Secret Atomal #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002503; rev:2;) # # NATO Secret #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002504; rev:2;) # # US Confidential, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002505; rev:2;) # # US Top Secret, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002506; rev:2;) # # US Secret, Electronic Format #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002507; rev:2;) # # US Confidential Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002508; rev:2;) # # US Top Secret Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002509; rev:2;) # # US Secret Authorized for Release To #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002511; rev:2;) # # US Top Secret Comint #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002512; rev:2;) # # US Secret Comint #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002514; rev:2;) # # US Confidential Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002515; rev:2;) # # US Top Secret Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002516; rev:2;) # # US Secret Communications Security Material #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret IMCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002519; rev:2;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret CNWDI"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002521; rev:2;) # # US Secret Talent Keyhole #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret TK"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002523; rev:2;) # # US For Official Use Only #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002524; rev:2;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002525; rev:2;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002526; rev:2;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret NOFORN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002704; rev:1;) # # US Top Secret Originator Controlled #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002528; rev:2;) # # US Secret Originator Controlled #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret ORCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002530; rev:2;) # # US Confidential Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002531; rev:2;) # # US Top Secret Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002532; rev:2;) # # US Secret Proprietary Information #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret PROPIN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002534; rev:2;) # # US Top Secret Restricted Data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002535; rev:2;) # # US Secret Restricted Data #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret RD"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002537; rev:2;) # # US Confidential Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002538; rev:2;) # # US Top Secret Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002539; rev:2;) # # US Secret Special Category #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Secret SPECAT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002541; rev:2;) # # The word "private" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002542; rev:2;) # # The word "restricted" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Restricted"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Confidential"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Top Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002547; rev:2;) # # The word "sensitive" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Sensitive"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002549; rev:2;) # # The word "protected" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002550; rev:2;) # # The phrase "law enforcement sensitive" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002551; rev:2;) # # The phrase "internal use only" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002552; rev:2;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002553; rev:2;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002554; rev:2;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002555; rev:2;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002556; rev:2;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002557; rev:2;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2)?)|(v[167][0-9]\.[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002558; rev:2;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002559; rev:2;) # # Japan Credit Bureau Credit Card Number #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002561; rev:2;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002567; rev:2;) # # The word "appraisal" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002568; rev:2;) # # The phrase "account balance" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002569; rev:2;) # # The phrase "payment history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002570; rev:2;) # # The phrase "annual income" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002571; rev:2;) # # The phrase "credit history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002572; rev:2;) # # The phrase "transaction history" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002573; rev:2;) # # The phrase "customer list" #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002574; rev:2;) # # ########################################## # # High Ports, possibly Passive FTP DATA # # Non-US Restricted #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; classtype:policy-violation; sid:2002575; rev:2;) # # Non-US Confidential #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; classtype:policy-violation; sid:2002576; rev:2;) # # Non-US Top Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; classtype:policy-violation; sid:2002577; rev:2;) # # Non-US Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; classtype:policy-violation; sid:2002579; rev:2;) # # NATO Confidential Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; classtype:policy-violation; sid:2002580; rev:2;) # # NATO Confidential #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; classtype:policy-violation; sid:2002581; rev:2;) # # NATO COSMIC Top Secret Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; classtype:policy-violation; sid:2002582; rev:2;) # # NATO Secret Atomal #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; classtype:policy-violation; sid:2002583; rev:2;) # # NATO Secret #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; classtype:policy-violation; sid:2002584; rev:2;) # # US Confidential, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; classtype:policy-violation; sid:2002585; rev:2;) # # US Top Secret, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; classtype:policy-violation; sid:2002586; rev:2;) # # US Secret, Electronic Format #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; classtype:policy-violation; sid:2002587; rev:2;) # # US Confidential Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002588; rev:2;) # # US Top Secret Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002589; rev:2;) # # US Secret Authorized for Release To #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret REL TO"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002591; rev:2;) # # US Top Secret Comint #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002592; rev:2;) # # US Secret Comint #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002594; rev:2;) # # US Confidential Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002595; rev:2;) # # US Top Secret Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002596; rev:2;) # # US Secret Communications Security Material #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret COMSEC"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret IMCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002599; rev:2;) # # US Secret Critical Nuclear Weapon Design Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret CNWDI"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002601; rev:2;) # # US Secret Talent Keyhole #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret TK"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; classtype:policy-violation; sid:2002603; rev:2;) # # US For Official Use Only #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; classtype:policy-violation; sid:2002604; rev:2;) # # US Confidential Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002605; rev:2;) # # US Top Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002606; rev:2;) # # US Secret Not Releasable to Foreign Nationals #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002608; rev:2;) # # US Top Secret Originator Controlled #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002609; rev:2;) # # US Secret Originator Controlled #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002611; rev:2;) # # US Confidential Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002612; rev:2;) # # US Top Secret Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002613; rev:2;) # # US Secret Proprietary Information #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret PROPIN"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002615; rev:2;) # # US Top Secret Restricted Data #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; classtype:policy-violation; sid:2002616; rev:2;) # # US Secret Restricted Data #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret RD"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002618; rev:2;) # # US Confidential Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002619; rev:2;) # # US Top Secret Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002620; rev:2;) # # US Secret Special Category #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002622; rev:2;) # # The word "private" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002623; rev:2;) # # The word "restricted" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Restricted"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Confidential"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Top Secret"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002628; rev:2;) # # The word "sensitive" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Sensitive"; flow:to_server,established; pcre:"/(? $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002630; rev:2;) # # The word "protected" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002631; rev:2;) # # The phrase "law enforcement sensitive" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; classtype:policy-violation; sid:2002632; rev:2;) # # The phrase "internal use only" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; classtype:policy-violation; sid:2002633; rev:2;) # # The phrase "date of birth" or its typical abbreviations #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; classtype:policy-violation; sid:2002634; rev:2;) # # Health Care Common Procedure Coding System (HCPCS) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; classtype:policy-violation; sid:2002635; rev:2;) # # International Statistical Classification of Diseases and Related Health Problems 10th Revision (ICD-10) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; classtype:policy-violation; sid:2002636; rev:2;) # # Food and Drug Administration (FDA) National Drug Code (NDC) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002637; rev:2;) # # American Dental Association (ADA) Dental Procedure Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; classtype:policy-violation; sid:2002638; rev:2;) # # Diagnostic and Statistical Manual of Mental Disorders (DSM-IV) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2)?)|(v[167][0-9]\.[0-9]{1,2}))/ism"; classtype:policy-violation; sid:2002639; rev:2;) # # American Medical Association (AMA) Current Procedural Terminology (CPT) Codes #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; classtype:policy-violation; sid:2002640; rev:2;) # # Japan Credit Bureau Credit Card Number #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; classtype:policy-violation; sid:2002642; rev:2;) # # The word "password", its typical abbreviations or written/abbreviated in a few forms of "leet" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; classtype:policy-violation; sid:2002648; rev:2;) # # The word "appraisal" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; classtype:policy-violation; sid:2002649; rev:2;) # # The phrase "account balance" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; classtype:policy-violation; sid:2002650; rev:2;) # # The phrase "payment history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; classtype:policy-violation; sid:2002651; rev:2;) # # The phrase "annual income" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; classtype:policy-violation; sid:2002652; rev:2;) # # The phrase "credit history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002653; rev:2;) # # The phrase "transaction history" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; classtype:policy-violation; sid:2002654; rev:2;) # # The phrase "customer list" #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE POLICY High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; classtype:policy-violation; sid:2002655; rev:2;) # #Submitted by Matt Jonkman #Thees rules are disabled by default. They should generally be run on the outside of your network, not internally. Enable it where useful. #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001375; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001376; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001377; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001378; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001379; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001380; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001381; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001382; rev:9; ) #alert ip any any -> any any (msg: "BLEEDING-EDGE Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype: policy-violation; sid: 2001383; rev:9; ) #Submitted by Ole-Martin alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; classtype: successful-admin; sid: 2001294; rev:2; ) #Submitted by Joseph Gama #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Format error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; classtype: not-suspicious; sid: 2001116; rev:2; ) #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Name Error"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; classtype: not-suspicious; sid: 2001117; rev:2; ) #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Not Implemented"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; classtype: not-suspicious; sid: 2001118; rev:2; ) #alert udp $DNS_SERVERS 53 -> any any (msg: "BLEEDING-EDGE DNS - Standard query response, Refused"; pcre:"/..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; classtype: not-suspicious; sid: 2001119; rev:2; ) #by Myron Davis alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLEEDING-EDGE POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; classtype:bad-unknown; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; sid:2002676; rev:1;) #From Charles Lacroix # All form elements are encoded before they are sent to the server # This makes things a bit more complicated to decode via snort at least # for me. This rule will trigger when a user is starting to place # an item for sale on the ebay site. # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Bid Placed"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll/"; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; classtype: policy-violation; sid: 2001898; rev:2; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Placing Item for sale"; flow: to_server,established; uricontent:"/ws2/eBayISAPI.dll"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001907; rev:2; ) # Look for a single item #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay View Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001908; rev:3; ) # Mark an item to watch #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY eBay Watch This Item"; flow: to_server,established; uricontent:"/ws/eBayISAPI.dll"; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; classtype: policy-violation; sid: 2001909; rev:3; ) #By Matt Jonkman. Reviving this rule as it's been dropped from the snort.org rulesets. alert tcp $HOME_NET any -> 66.151.158.177 any (msg: "BLEEDING-EDGE GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2000309; rev:6; ) #This intends to be a more intelligent version of the old gotomypc rule, eventually to replace the old if it catches everything alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg: "BLEEDING-EDGE GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2002022; rev:2; ) #by Dajackman alert tcp $HOME_NET any -> 64.34.106.33 12975 (msg:"BLEEDING-EDGE POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; threshold:type limit, track by_src, count 1, seconds 120; classtype:policy-violation; reference:url,www.hamachi.cc; sid:2002729; rev:1;) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/HoTMaiL\?curmbox=/i"; classtype: policy-violation; sid: 2000035; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/getmsg\?msg=MSG/i"; classtype: policy-violation; sid: 2000036; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; nocase; content:"hotmail.msn.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/compose\?/i"; classtype: policy-violation; sid: 2000037; rev:9; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/cgi-bin\/premail/i"; classtype: policy-violation; sid: 2000038; rev:8; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; classtype: policy-violation; sid: 2000039; rev:6; ) #Submitted by Thomas Alex alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg: "BLEEDING-EDGE MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype: attempted-admin; sid: 2001055; rev:5; ) #Submitted by Brandon Barnes #pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel"; content:"CONNECT "; nocase; content:"80"; content:" HTTP/1."; nocase; flow:to_server,established; classtype:misc-activity; sid:2000549; rev:3;) #pass tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel"; content:"CONNECT "; nocase; content:"443"; content:" HTTP/1."; nocase; flow:to_server,established; classtype:misc-activity; sid:2000550; rev:3;) #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel"; flow: to_server,established; content:"CONNECT "; nocase; content:!"80"; content:" HTTP/1."; nocase; classtype: misc-activity; sid: 2000547; rev:5; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel"; flow: to_server,established; content:"CONNECT "; nocase; content:!"443"; content:" HTTP/1."; nocase; classtype: misc-activity; sid: 2000548; rev:5; ) #Submitted by Jason #alert tcp any any -> any any (msg: "BLEEDING-EDGE HTTP CONNECT Tunnel Attempt"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"\:443"; within: 5; distance: -12; classtype: misc-activity; sid: 2000560; rev:6; ) #By Merphie from the forums alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001801; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001802; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; classtype: policy-violation; sid: 2001803; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg: "BLEEDING-EDGE POLICY ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; classtype: policy-violation; sid: 2001804; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; classtype: policy-violation; sid: 2001805; rev:3; ) #by Mark Tombaugh alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002327; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLEEDING-EDGE POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; classtype:policy-violation; reference:url,talk.google.com; reference:url,www.xmpp.org; sid:2002330; rev:2;) #by Brad Doctor alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms\:xml\:ns\:xmpp-s"; content:"X-GOOGLE-TOKEN\">"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002332; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic friend invited"; flow:to_server; content:"\"> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE POLICY Google IM traffic Jabber client sign-on"; flow:to_server; pcre:"/gmail.com/i"; pcre:"/jabber.org/i"; pcre:"/version=/"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002334; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY Google IM traffic Windows client user sign-off"; flow:to_server; content:"|3C 2F|stream\:s"; content:"tream>"; classtype:policy-violation; reference:url,www.google.com/talk; sid:2002335; rev:4;) #Submitted by Joel Esler alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; classtype: policy-violation; sid: 2001241; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; classtype: policy-violation; sid: 2001242; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; classtype: policy-violation; sid: 2001243; rev:3; ) #Matt Jonkman, more msn alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy MSN IM Poll via HTTP"; flow: established,to_server; uricontent:"/gateway/gateway.dll?Action=poll&SessionID="; nocase; threshold: type limit, track by_src, count 10, seconds 3600; classtype: policy-violation; sid: 2001682; rev:5; ) #Submitted by Scott Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MSN status change"; flow:established,to_server; content:"CHG "; depth:55; classtype:policy-violation; sid:2002192; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; within:90; classtype:policy-violation; sid:2002312; rev:1;) #Submitted by Joel Esler alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001253; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001254; rev:3; ) #Commenting out, duplicated in Snort.org set #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001255; rev:4; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001256; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001257; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001258; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; classtype: policy-violation; sid: 2001427; rev:3; ) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00|M"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001259; rev:4; ) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; classtype: policy-violation; sid: 2001260; rev:4; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001261; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; classtype: policy-violation; sid: 2001262; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference request"; flow: to_server,established; content:" $HOME_NET any (msg: "BLEEDING-EDGE CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; classtype: policy-violation; sid: 2001264; rev:3; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE CHAT Yahoo IM Client Install"; flow: to_server,established; uricontent:"/ycontent/stats.php?version="; nocase; uricontent:"EVENT=InstallBegin"; nocase; classtype: policy-violation; sid: 2002659; rev:1; ) #Moved from Malware, this is not spyware related #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Infotriever Spyware User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: Client"; nocase; classtype: trojan-activity; reference:url,www.infotriever.com/Intro_SysAdmins.asp; sid: 2002082; rev:5;) #Submitted by Vernon Stark alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:3; ) #by Matt Jonkman #alert ip any any -> any any (msg: "BLEEDING-EDGE POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ /d/d-/d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; classtype:policy-violation; sid:2002658; rev:1;) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY KitCo Kcast Ticker (agtray)"; flow: to_server,established; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid: 2000569; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY KitCo Kcast Ticker (autray)"; flow: to_server,established; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid: 2000570; rev:4; ) #Submitted by Joseph Gama #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Policy Mozilla XPI install files download"; flow: from_server,established; content:"content-type\: application/x-xpinstall"; nocase; classtype: bad-unknown; sid: 2001114; rev:3; ) #by William Bell alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; distance: 0; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; classtype:policy-violation; sid: 2002722; rev:1; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; distance: 0; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; classtype:policy-violation; sid: 2002723; rev:1; ) #Submitted by Lance Boon alert udp any any -> any any (msg: "BLEEDING-EDGE Policy Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; classtype: policy-violation; sid: 2001597; rev:3; ) #New way to do ssh. First to detect legit ssh sessions on normal ports. Enable these ONLY if you need to know about # normal ssh sessions #Written by Erik Fichtner, adapted some #alert tcp any $SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; sid: 2001973; rev:5; ) #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_client_banner; classtype:misc-activity; sid: 2001974; rev:5; ) #alert tcp any $SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; classtype:misc-activity; sid: 2001975; rev:5; ) #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5;flowbits: set,is_ssh_client_kex; classtype:misc-activity; sid: 2001976; rev:6; ) #alert tcp any any -> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5;flowbits: set,is_proto_ssh; classtype:misc-activity; sid: 2001977; rev:6; ) #alert tcp any any <> any $SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session in progress on Expected Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001978; rev:4; ) #And now to detect Non-standard port usage alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative;flowbits: set,is_ssh_server_banner; classtype:misc-activity; sid: 2001979; rev:5; ) alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH Client Banner Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byte_test:1,<,51,0,relative;byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; classtype:misc-activity; sid: 2001980; rev:6; ) alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5;flowbits: set,is_ssh_server_kex; classtype:misc-activity; sid: 2001981; rev:5; ) alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; classtype:misc-activity; sid: 2001982; rev:6; ) alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; classtype:misc-activity; sid: 2001983; rev:6; ) alert tcp any any <> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session in progress on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001984; rev:4; ) # Added by Frank Knobbe alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference:url,www.prospero.com/technology.htm; classtype: policy-violation; sid: 2001989; rev:3; ) #By Sam Pabon alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE POLICY RAR File Outbound"; flow: established; content:"|52 61 72 21|"; offset: 0; depth: 4; tag: session; classtype: not-suspicious; sid: 2001950; rev:2; ) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE POLICY RAR File Inbound"; flow: established; content:"|52 61 72 21|"; offset: 0; depth: 4; tag: session; classtype: not-suspicious; sid: 2001951; rev:2; ) #Submitted by James Ashton alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001329; rev:5; ) alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001330; rev:5; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; classtype: misc-activity; sid: 2001331; rev:5; ) #By Chich Thierry alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy Skype VOIP Checking Version (Startup)"; flow: to_server,established; uricontent:"/ui/"; nocase; uricontent:"/getlatestversion?ver="; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype: policy-violation; sid: 2001595; rev:6; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Policy Skype VOIP Reporting Install"; flow: to_server,established; uricontent:"/ui/"; nocase; uricontent:"/installed"; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype: policy-violation; sid: 2001596; rev:6; ) #By Robert Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/User-Agent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:1;) #By Chris Norton #alert tcp any any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Policy SSH Successful user connection"; dsize: 52; flags: AP; threshold: type both, track by_src, count 3, seconds 60; classtype: successful-user; sid: 2001637; rev:3; ) #Submitted by Patrick Harper. pcre by Matt Jonkman #This rule is disabled by default. It should generally be run on the outside of your network, not internally. Enable it where useful. #alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; classtype: policy-violation; sid: 2001328; rev:8; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE SSN Detected in Clear Text"; flow: established; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; classtype: policy-violation; sid: 2001384; rev:8; ) #by Mark Tombaugh, updated by Robert Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE POLICY TOR 1.0 Client Circuit Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:10; within:20; threshold:type both, track by_src, count 1, seconds 60; classtype:policy-violation; reference:url,tor.eff.org; sid:2001728; rev:3;) #Submitted by Erik Vincent #alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "BLEEDING-EDGE Policy Proxy Connection detected"; flow: established; content:"Proxy-Connection"; classtype: attempted-user; sid: 2001449; rev:2; ) # #You MUST add the SMTP_SERVERS var to your snort.conf!!!! alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Outbound Multiple Non-SMTP Server Emails"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328; rev:7;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY Inbound Frequent Emails -- Possible Spambot Inbound"; flags: S,12; threshold: type threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:4;) #by Jacob Kitchel of infotex #These are of particular use in detecting recon for phishing, etc. #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Wget User Agent"; flow:established,to_server; content:"Wget"; nocase; pcre:"/User-Agent\:[^\n]+Wget/i"; reference:url,www.gnu.org/software/wget; sid:2002822; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY POSSIBLE Web Crawl using Wget"; flow:established,to_server; content:"Wget"; nocase; pcre:"/User-Agent\:[^\n]+Wget/i"; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,www.gnu.org/software/wget/; sid:2002823; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY CURL User Agent"; flow:established,to_server; content:"curl"; nocase; pcre:"/User-Agent\:[^\n]+curl/i"; reference:url,curl.haxx.se; sid:2002824; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; content:"curl"; nocase; pcre:"/User-Agent\:[^\n]+curl/i"; threshold: type both, track by_src, count 10, seconds 60; classtype:attempted-recon; reference:url,curl.haxx.se; sid:2002825; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; pcre:"/User-Agent\:[^\n]+fetch/i"; reference:url,gobsd.com/code/freebsd/lib/libfetch; sid:2002826; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; content:"fetch"; nocase; pcre:"/User-Agent\:[^\n]+fetch/i"; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,gobsd.com/code/freebsd/lib/libfetch; sid:2002827; rev:1;) #These aren't security issues necessarily, but you may be interested in seeing how often these crawlers hit you #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY googlebot User Agent"; flow:established,to_server; content:"googlebot"; nocase; pcre:"/User-Agent\:[^\n]+googlebot/i"; reference:url,www.google.com/webmasters/bot.html; sid:2002828; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Googlebot Crawl"; flow:established,to_server; content:"googlebot"; nocase; pcre:"/User-Agent\:[^\n]+googlebot/i"; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,www.google.com/webmasters/bot.html; sid:2002829; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY msnbot User Agent"; flow:established,to_server; content:"msnbot"; nocase; pcre:"/User-Agent\:[^\n]+msnbot/i"; reference:url,search.msn.com/msnbot.htm; sid:2002830; rev:1;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Msnbot Crawl"; flow:established,to_server; content:"msnbot"; nocase; pcre:"/User-Agent\:[^\n]+msnbot/i"; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,search.msn.com/msnbot.htm; sid:2002831; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"Yahoo-MMCrawler"; nocase; pcre:"/User-Agent\:[^\n]+Yahoo-MMCrawler/i"; reference:url,mms-mmcrawler-support@yahoo-inc.com; sid:2002832; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE POLICY Yahoo Crawler Crawl"; flow:established,to_server; content:"Yahoo-MMCrawler"; nocase; pcre:"/User-Agent\:[^\n]+Yahoo-MMCrawler/i"; threshold: type both, track by_src, count 10, seconds 60; classtype: attempted-recon; reference:url,mms-mmcrawler-support@yahoo-inc.com; sid:2002833; rev:1;) # Submitted by Jason Alvarado alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg: "BLEEDING-EDGE MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com/how.php; classtype: policy-violation; sid: 2001712; rev:3; ) alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg: "BLEEDING-EDGE MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com/how.php; classtype: policy-violation; sid: 2001713; rev:3; ) alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg: "BLEEDING-EDGE MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com/how.php; classtype: policy-violation; sid: 2001714; rev:3; ) #Originally posted by Matt Jonkman, major tweaks by Matt Watchinski. #Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Inbox View"; flow: to_server,established; uricontent:"/ym/ShowFolder"; nocase; content:"rb=Inbox"; nocase; classtype: policy-violation; sid: 2000041; rev:9; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message View"; flow: to_server,established; uricontent:"/ym/ShowLetter"; nocase; content:"MsgId"; nocase; classtype: policy-violation; sid: 2000042; rev:8; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message Compose Open"; flow: to_server,established; uricontent:"/ym/Compose"; nocase; classtype: policy-violation; sid: 2000043; rev:8; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message Send"; flow: to_server,established; uricontent:"/ym/Compose"; nocase; classtype: policy-violation; sid: 2000044; rev:7; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; classtype: policy-violation; sid: 2000045; rev:8; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Mail General Page View"; flow: to_server,established; uricontent:"/ym/login"; nocase; content:".rand="; nocase; classtype: policy-violation; sid: 2000341; rev:6; ) #Submitted by Jonathan Miner alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Yahoo Briefcase Upload"; flow: to_server,established; content:"briefcase.yahoo.com"; uricontent:"/process_bcmultipart_form"; nocase; classtype: policy-violation; sid: 2001044; rev:3; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Gmail Inbox Access"; flow: to_server,established; uricontent:"/gmail?view=tl&search=inbox&start="; nocase; classtype: policy-violation; sid: 2001424; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Gmail File Send"; flow: to_server,established; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; content:"name=\"form-data\; file0\"\; filename=\""; nocase; classtype: policy-violation; sid: 2001425; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY Gmail Message Send"; flow: to_server,established; content:"Content-Disposition\: form-data\; name=\"to\""; nocase; content:"Content-Disposition\: form-data\; name=\"msgbody\""; nocase; classtype: policy-violation; sid: 2001426; rev:4; ) #By Robert Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE POLICY WebshotsNetClient"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WebshotsNetClient/i"; reference:url,www.webshots.com; classtype:policy-violation; sid:2002407; rev:1;) #by Mark Tombaugh alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"BLEEDING-EDGE POLICY X-Box Live Connecting"; content:" any any (msg: "BLEEDING-EDGE ZIPPED DOC in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; classtype: not-suspicious; sid: 2001402; rev:3; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED XLS in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; classtype: not-suspicious; sid: 2001403; rev:3; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED EXE in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; classtype: not-suspicious; sid: 2001404; rev:3; ) #alert tcp any any -> any any (msg: "BLEEDING-EDGE ZIPPED PPT in transit"; flow: established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; classtype: not-suspicious; sid: 2001405; rev:3; ) #From David Glosser alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg: "BLEEDING-EDGE Possible hidden zip extension .cpl"; flowbits: isnotset,tagged; content:"|20 20 2E 63 70 6C 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; sid: 2001406; rev:5; ) alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg: "BLEEDING-EDGE Possible hidden zip extension .pif"; flowbits:isnotset,tagged; content:"|20 20 2E 70 69 66 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; sid: 2001407; rev:5; ) alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg: "BLEEDING-EDGE Possible hidden zip extension .scr"; flowbits:isnotset,tagged; content:"|20 20 2E 73 63 72 50 4B|"; nocase; tag: host,1,packets,src; flowbits:set,tagged; classtype: suspicious-filename-detect; sid: 2001408; rev:5; ) #Submitted by Marcamone alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P Ares traffic"; flow: established; content:"User-Agent\: Ares"; reference:url,www.aresgalaxy.org; classtype: policy-violation; sid: 2001059; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P Ares GET"; flow: established; content:"ares"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/ares\//i"; reference:url,www.aresgalaxy.org; classtype: policy-violation; sid: 2001060; rev:6; ) #By Bob Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET !5190 (msg: "BLEEDING-EDGE P2P Ares File Upload"; flow: established; content:"|50 55 53 48 20 53 48 41 31 3a|"; reference:url,www.aresgalaxy.org; classtype: policy-violation; sid: 2001756; rev:3; ) # By Chich Thierry alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P BitTorrent peer sync"; flow: established; content:"|0000000d0600|"; offset: 0; depth: 6; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000334; rev:7; ) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; offset: 0; depth: 8; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000357; rev:3; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg: "BLEEDING-EDGE P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; classtype: policy-violation; sid: 2000369; rev:4; ) #by markmc alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE P2P Direct Connect Traffic (client-server)"; flow:from_client,established; content:"$MyINFO"; offset:0; depth:7; classtype:policy-violation; reference:url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application; sid:2002814; rev:1;) # By Chich Thierry alert tcp any any -> any 4660:4799 (msg: "BLEEDING-EDGE P2P ed2k connection to server"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000001|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; sid: 2000330; rev:5; ) alert tcp any any -> any 4660:4799 (msg: "BLEEDING-EDGE P2P ed2k file search"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000016|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; sid: 2000331; rev:5; ) alert tcp any any -> any 4660:4799 (msg: "BLEEDING-EDGE P2P ed2k request part"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000047|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; sid: 2000332; rev:5; ) alert tcp any any -> any 4660:4799 (msg: "BLEEDING-EDGE P2P ed2k file request answer"; flow: to_server,established; content:"|e3|"; offset: 0; depth: 1; content:"|00000059|"; offset: 2; depth: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; sid: 2000333; rev:5; ) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE P2P Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; offset: 0; depth: 6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; classtype: policy-violation; sid: 2000340; rev:5; ) #Submitted by Sam Evans alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE P2P eDonkey File Status"; flow: to_server,established; content:"|e3 14|"; offset: 0; depth: 2; classtype: policy-violation; reference:url,www.edonkey.com; sid: 2001296; rev:4; ) alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE P2P eDonkey File Status Request"; flow: to_server,established; content:"|e3 11|"; offset: 0; depth: 2; classtype: policy-violation; reference:url,www.edonkey.com; sid: 2001297; rev:5; ) alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE P2P eDonkey Server Status Request"; content:"|e3 96|"; offset: 0; depth: 2; rawbytes;classtype: policy-violation; reference:url,www.edonkey.com; sid: 2001298; rev:3; ) alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P eDonkey Server Status"; content:"|e3 97|"; offset: 0; depth: 2; rawbytes;classtype: policy-violation; reference:url,www.edonkey.com; sid: 2001299; rev:3; ) alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE P2P eDonkey Search"; content:"|e3 0e|"; offset: 0; depth: 2; rawbytes;classtype: policy-violation; reference:url,www.edonkey.com; sid: 2001305; rev:3; ) #alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg: "BLEEDING-EDGE P2P eDonkey Hello Request"; flow: to_server,established; content:"|e3|"; content:"|01|"; offset: 0; depth: 7; classtype: policy-violation; reference:url,www.edonkey.com; sid: 2001300; rev:4; ) # Submitted by Pedro Quintanilha on 2005-11-07 alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"BLEEDING-EDGE P2P MS Foldershare Login Detected"; flow:established,to_client; content:"|0b|FolderShare|30 81 9f 30|"; nocase; offset: 392; depth: 18; reference:url,www.foldershare.com; classtype:policy-violation; sid:2002673; rev:2;) #From Cooljay alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; offset: 0; depth: 17; classtype: policy-violation; reference:url,www.gnutella.com; sid: 2001664; rev:3; ) #by Jeff Kell # Looking for Gnucleus/GnucDNA UDP Ultrapeer handshakes alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P GnucDNA UDP Ultrapeer Traffic"; content:"SCP@|83|DNA@"; threshold: type both,track by_src,count 10,seconds 600; classtype: policy-violation; sid:2002760; rev:1;) # Looking for Gnucleus/GnucDNA running Ultrapeer alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; offset:0; depth:8; content:"X-Ultrapeer\: True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; classtype: policy-violation; sid:2002761; rev:1;) #Thanks to Kevin Kolk alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg: "BLEEDING-EDGE P2P iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth: 500; classtype: trojan-activity; reference:url,iroffer.org; sid: 2000338; rev:3; ) alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg: "BLEEDING-EDGE P2P iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; classtype: trojan-activity; reference:url,iroffer.org; sid: 2000339; rev:3; ) #By Bob Grabowsky alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE P2P kazaa over UDP"; content:"KaZaA"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.kazaa.com/us/index.htm; sid: 2001796; rev:3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE KazaaClient P2P Traffic"; flow: established; content:"Agent\: KazaaClient"; nocase; classtype: policy-violation; reference:url,www.kazaa.com/us/index.htm; sid: 2001812; rev:3; ) #By Bob Grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent\: LimeWire"; nocase; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001808; rev:3; ) alert udp $HOME_NET 6346 -> $EXTERNAL_NET 6346:6700 (msg: "BLEEDING-EDGE P2P Limewire P2P UDP Traffic"; content:"|49 50 40 83 53 43 50 41|"; threshold: type threshold, track by_src,count 10, seconds 60; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001809; rev:3; ) alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg: "BLEEDING-EDGE P2P UDP traffic -- Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001841; rev:4; ) #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE P2P Morpheus Install"; flow: to_server,established; uricontent:"/morpheus/morpheus.exe"; nocase; reference:url,www.morpheus.com; classtype: policy-violation; sid: 2001035; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE P2P Morpheus Install ini Download"; flow: to_server,established; uricontent:"/morpheus/morpheus_sm.ini"; nocase; reference:url,www.morpheus.com; classtype: policy-violation; sid: 2001036; rev:5; ) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE P2P Morpheus Update Request"; flow: to_server,established; uricontent:"/gwebcache/gcache.asg?hostfile="; nocase; reference:url,www.morpheus.com; classtype: policy-violation; sid: 2001037; rev:5; ) # By Chich Thierry alert udp any any -> any any (msg: "BLEEDING-EDGE P2P Overnet Server Announce"; content:"|00000203006c6f63|"; offset: 36; content:"|006263703a2f2f|"; distance: 1; classtype: policy-violation; reference:url,www.overnet.com; sid: 2000335; rev:4; ) # alert tcp any any -> any any (msg: "BLEEDING-EDGE P2P Phatbot Control Connection"; flow: established; content:"Wonk-"; content:"|00|#waste|00|"; within: 15; reference:url,www.lurhq.com/phatbot.html; classtype: trojan-activity; sid: 2000015; rev:4; ) #Submitted by marcamone alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg: "BLEEDING-EDGE P2P Soulseek traffic (1)"; flow: established; classtype: policy-violation; reference:url,www.slsknet.org; sid: 2001185; rev:6; ) alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg: "BLEEDING-EDGE P2P Soulseek traffic (2)"; flow: established; classtype: policy-violation; reference:url,www.slsknet.org; sid: 2001186; rev:6; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE P2P Soulseek"; flow: established; content:"slsknet"; classtype: policy-violation; reference:url,www.slsknet.org; sid: 2001188; rev:5; ) #Submitted by Matt Jonkman alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg: "BLEEDING-EDGE P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; classtype: policy-violation; reference:url,www.slsknet.org; sid: 2001187; rev:4; ) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB WebAPP Apage.CGI Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/apage.cgi?f="; nocase; pcre:"/(\.\|.+\|)/"; reference:bugtraq,13637; classtype: web-application-attack; sid: 2001945; rev:4; ) #From Adam Hogan alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Web Proxy GET Request"; flow: to_server,established; content:"GET http\://"; nocase; depth: 11; classtype: bad-unknown; sid: 2001669; rev:2; ) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Web Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001670; rev:3; ) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Proxy POST Request"; flow: to_server,established; content:"POST http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001674; rev:2; ) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; classtype: bad-unknown; sid: 2001675; rev:2; ) #By David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/athenareg.php?pass=%20\;"; nocase; reference:cve,CAN-2004-1782; reference:bugtraq,9349; classtype: web-application-attack; sid: 2001949; rev:4; ) # Submitted 2005-09-04 by David Maciejak alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; classtype: web-application-attack; sid:2002362; rev:1;) # Submitted 2005-11-22 by David Maciejak (with thanks to Nicob for pointing it out) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; classtype: web-application-attack; sid:2002685; rev:1;) #by Jamie Thinglestad alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; classtype:web-application-attack; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; sid:2002069; rev:4;) # Submitted by Mark Tombaugh, 2005/07/18 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/(config_settings|top_graph_header)\.php\?.*=(http|https)\:\//Ui"; classtype:web-application-activity; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; sid:2002129; rev:4;) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Cacti graph_image.php Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/graph_image.php?"; nocase; pcre:"/(graph_start=%0a.+%0a)/i"; reference:cve,CAN-2005-1524; reference:bugtraq,14129; reference:bugtraq,14042; classtype: web-application-attack; sid:2002313; rev:4;) # Submitted 2005-12-06 by Bob Grabowsky alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB includer.cgi Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/includer.cgi?|7c|"; nocase; classtype: web-application-attack; reference:url,isc.sans.org/diary.php?storyid=823; sid:2002711; rev:3; ) #by Blake Hartstein alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Cisco IOS HTTP set enable password attack"; flow:established,to_server; uricontent:"/configure/"; uricontent:"/enable/"; classtype:web-application-attack; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; sid:2002721; rev:1; ) #By David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Community Link Pro Login.CGI Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/login.cgi?"; nocase; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14097; classtype: web-application-attack; sid:2002067; rev:3;) #By David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB CSV-DB CSV_DB.CGI Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/cgi-bin/csv_db.cgi?"; nocase; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14059; classtype:web-application-attack; sid:2002066; rev:3;) # By David Maciejak, 2005-11-03 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB CutePHP CuteNews directory traversal vulnerability"; flow:to_server,established; content:"GET"; depth:3; nocase; pcre:"/show_(news|archives)\.php?.*template=[./]+/Ui"; reference:bugtraq,15295; classtype: misc-activity; sid: 2002668; rev:3; ) # Submitted by David Maciejak on 2005-11-15 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Cyphor show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php?"; nocase; pcre:"/id=-?\d+\s+UNION\s+/Ui"; reference:bugtraq,15418; classtype: web-application-attack; sid: 2002678; rev:2; ) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; uricontent:"OpenForm"; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; classtype:web-application-attack; sid:2002376; rev:4;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE IBM Lotus Domino Src XSS attempt"; flow:to_server,established; uricontent:"OpenFrameSet"; nocase; pcre:"/src=.*\"><\/FRAMESET>.*