#
# $Id: bleeding-drop.rules $
# Bleeding Snort drop rules. 
#
#These are generated from the Spamhaus DROP list available at 
#
#  http://www.spamhaus.org/DROP/
#
#
# SID's are 2400000+ to avoid conflicts
#
# More information available at www.bleedingsnort.com
#
# Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2006, Bleedingsnort.com
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
alert tcp [132.232.0.0/16,134.33.0.0/16,138.105.0.0/16,138.252.0.0/16,143.49.0.0/16,146.100.0.0/16,147.111.0.0/16,148.3.0.0/16,152.147.0.0/16,159.2.0.0/16,160.116.0.0/16,163.125.0.0/16,167.175.0.0/16,167.97.0.0/16,170.67.0.0/16,192.160.44.0/24,192.67.16.0/24,193.110.136.0/24,193.238.120.0/22,195.206.120.0/22,195.214.236.0/22,196.4.167.0/24,198.151.152.0/22,198.186.16.0/20,198.204.0.0/21,199.120.163.0/24,199.166.200.0/22,199.201.151.0/24,199.201.152.0/24,199.245.138.0/24] any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; sid:2400000; rev:20;)
alert tcp [199.248.213.0/24,199.60.102.0/24,200.108.160.0/20,200.108.176.0/20,200.124.64.0/19,202.14.69.0/24,203.19.101.0/24,203.29.222.0/24,203.31.88.0/23,203.33.120.0/24,203.34.192.0/23,203.34.204.0/24,203.34.205.0/24,203.34.70.0/24,203.34.71.0/24,203.4.141.0/24,203.4.142.0/24,203.55.153.0/24,204.11.72.0/21,204.13.16.0/21,204.13.32.0/21,204.14.0.0/21,204.14.24.0/21,204.52.255.0/24,204.62.213.0/24,204.89.156.0/23,204.89.224.0/24,204.9.240.0/21,205.159.34.0/24,205.172.188.0/22] any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; sid:2400001; rev:20;)
alert tcp [205.210.137.0/24,205.235.64.0/20,205.236.189.0/24,206.197.134.0/24,206.197.175.0/24,206.197.176.0/24,206.197.177.0/24,206.197.28.0/24,206.197.29.0/24,206.197.99.0/24,206.81.80.0/20,207.115.112.0/20,207.182.128.0/19,207.191.160.0/20,209.165.224.0/20,209.190.8.0/21,209.197.192.0/19,213.135.80.0/23,216.108.224.0/20,216.130.192.0/19,216.211.144.0/20,216.7.128.0/20,217.69.112.0/20,63.246.32.0/20,65.182.128.0/20,65.255.32.0/20,66.102.32.0/20,66.181.160.0/19,66.235.128.0/20,66.55.160.0/19] any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; sid:2400002; rev:20;)
alert tcp [216.211.144.0/20,216.7.128.0/20,217.69.112.0/20,63.246.32.0/20,65.182.128.0/20,65.255.32.0/20,66.102.32.0/20,66.181.160.0/19,66.235.128.0/20,66.55.160.0/19,66.63.160.0/19,66.64.96.0/20,67.43.48.0/20,69.10.0.0/20,69.36.192.0/20,69.42.96.0/19,69.67.64.0/20,69.8.176.0/20,72.11.128.0/19,72.21.128.0/20,72.21.64.0/20,72.26.192.0/19,72.34.160.0/20,80.71.64.0/19,83.223.224.0/19,83.223.240.0/22,85.249.16.0/20,86.111.128.0/20,88.206.0.0/21,] any -> $HOME_NET any (msg:"BLEEDING-EDGE DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; sid:2400003; rev:20;)