#
# $Id: bleeding-malware.rules $
# Bleeding Snort Malware rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. 
#
# More information available at www.bleedingsnort.com
#
# Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2006, Bleedingsnort.com
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#Submitted by Jason Haar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:"ping.180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; sid: 2000930; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001397; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001399; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?keyword="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2001400; rev:5; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002001; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002003; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002048; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002099; rev:2; )

#By M Shirk from Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002354; rev:1; )

#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; sid: 2000327; rev:7; )
#
#Submitted by Jason Haar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; sid: 2000934; rev:5; )

#Submitted by Chris Norton
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; sid: 2001447; rev:5; )

#Submitted by cooljay
alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg: "BLEEDING-EDGE MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; sid: 2001440; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; sid: 2001441; rev:9; )

#By Mark Tombaugh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; sid: 2001761; rev:3; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE adservs.com Spyware"; flow: to_server,established; uricontent:"/binaries/relevance.dat"; content:"adservs"; nocase; classtype: policy-violation; sid: 2002740; rev:1; )

#by Matt Jonkman from Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; sid:2002353; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Agent"; flow: to_server,established; uricontent:"/pops=1/site="; nocase; uricontent:"/bnum="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001226; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001228; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2001230; rev:6; )
#From Listening Post data
#Hits on normal ads, not reporting data
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; sid: 2002304; rev:1; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV2?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001730; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; sid: 2001735; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001318; rev:5; )

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; sid: 2001450; rev:9; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Access, Likely Spyware"; flow: to_server,established; content:"Host\: app.desktop.ak-networks.com"; nocase; classtype: trojan-activity; sid: 2001528; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; sid: 2001529; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; sid: 2001530; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; sid: 2001737; rev:4; )

#by Matt Jonkman from listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\://"; nocase; classtype:trojan-activity; sid:2002349; rev:1;)

#Modified and added to by Matt Jonkman (Original author missing)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000906; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000598; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; sid: 2000907; rev:7; )

#Submitted by Matt Jonkman
# As yet unidentified agent, but here's how it came in
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Amex.Ipsrime.com Unknown Malware Download"; flow: to_server,established; uricontent:"/bpc/"; content:".zip"; reference:url,amex.isprime.com; reference:url,www.isprime.com; classtype: trojan-activity; sid: 2000904; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; sid: 2000903; rev:4; )

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; sid: 2000574; rev:7; )

#By John Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; sid: 2001885; rev:4;)

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000366; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000367; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000371; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2000593; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001198; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001199; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; sid: 2001216; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001339; rev:5; )
#Data from Allison Macfarland
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; sid: 2001576; rev:4; )

#Submitted by Matt Jonkman
# Disabling this rule, it needs work. It's hitting on legit ad referrals
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; sid: 2001398; rev:5; )

#Matt Jonkman from Spyware listening post data
#disabling for now, seems only to be hitting on ad pulls, not a spyware infection
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Bidclix.com Spyware"; flow:to_server,established; pcre:"/\/code\/\d+\/\?cb=\d+/Ui"; classtype: trojan-activity; sid:2002198; rev:1;)

#Submitted by Allison MacFarlan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; sid: 2001345; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001266; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001304; rev:5; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; sid: 2001501; rev:4; )

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; sid: 2001451; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; sid: 2001452; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; sid: 2001458; rev:3; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:10; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2001531; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; sid: 2002088; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; sid: 2001521; rev:8; )

#By Matt Jonkman from Spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited1"; flow: to_server,established; pcre:"/\/s\?s=[d+]&u=http/Ui"; classtype: trojan-activity; sid:2002195; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casalemedia Spyware Reporting URL Visited2"; flow: to_server,established; pcre:"/\/sd\?s=[d+]&f=\d/Ui"; classtype: trojan-activity; sid:2002196; rev:1; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001041; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001031; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001032; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; sid: 2001033; rev:5; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001494; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; sid: 2001500; rev:4; )

#Submitted by Jason Haar, modified
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; sid: 2000931; rev:5; )

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; sid: 2001050; rev:5; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; sid: 2001655; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; sid: 2001658; rev:3; )
#from Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; sid: 2002351; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; sid: 2002352; rev:1;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; sid: 2001456; rev:3; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; sid: 2001704; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; sid: 2001479; rev:5; )

#from Lance James and Secure Science www.securescience.net -- Thanks Lance!
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; uricontent:"/images/data.php?"; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002774; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\:"; nocase; content:"google.vc"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002765; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host\:"; nocase; content:"pcpeek-webcam-sex.com"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002766; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host\:"; nocase; content:"businessopportunityseeker.biz"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002767; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host\:"; nocase; content:"fesexy.net"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002768; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host\:"; nocase; content:"studiolacase.com"; nocase; within:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002769; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; uricontent:"/msits.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002770; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; uricontent:"/msys.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002771; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001453; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001454; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; sid: 2001455; rev:4; )

#From Vernon Stark
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; sid: 2001683; rev:5; )
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content-Type\: image"; content:"MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; sid: 2001684; rev:5; )
alert tcp any !20 -> $HOME_NET !25 (msg: "BLEEDING-EDGE Malware Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content-Type\: image"; content:"MZ"; within: 12; classtype: trojan-activity; sid: 2001685; rev:3; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; sid: 2001733; rev:3; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002089; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; sid:2002095; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; sid: 2001222; rev:6; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (payload)"; flow: established,to_server; uricontent:"/in/payload/payload.nfo?"; nocase; classtype: trojan-activity; sid:2002816; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware DelFin Project Spyware (setup)"; flow: established,to_server; uricontent:"/in/defaults/setup.nfo?"; nocase; classtype: trojan-activity; sid:2002817; rev:1; )

#submitted by John Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; sid: 2001884; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; sid: 2001038; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002009; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; sid: 2002010; rev:4; )

#Submitted by Jason Haar
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware EUniverse-thunderdownloads Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"mgmt.svr HTTP"; within: 50; content:"|0d0a|Host|3a|update.thunderdownloads.com"; nocase; within: 300; reference:url,www.pestpatrol.com/pestinfo/e/euniverse.asp; classtype: policy-violation; sid: 2000935; rev:4; )

#By Matt Jonkman, From spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; sid:2002317; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; sid:2002318; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; sid:2002319; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; sid: 2000585; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; sid: 2000582; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; sid: 2001221; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; classtype: trojan-activity; sid: 2001293; rev:7; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference:url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000905; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference:url,www.flashpoint.bm; classtype: trojan-activity; sid: 2000936; rev:5; )

#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001710; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; sid: 2001705; rev:6; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Install)"; flow: to_server,established; uricontent:"/checkhttp.htm"; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase;  classtype: policy-violation; sid: 2002840; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; uricontent:"/ping/?shortname="; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase;  classtype: policy-violation; sid: 2002841; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2000599; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001013; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001034; rev:14; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2001043; rev:8; )
#From Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002305; rev:4; )
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype:policy-violation; sid:2002310; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002306; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002307; rev:3; )

#by Shirkdog
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Fun Web Products StationaryChooser Spyware"; flow: to_server,established; uricontent:"/StationeryChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; sid: 2002858; rev:1; ) 

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000025; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000595; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000597; rev:5; )

#Matt Jonkman Rule (depth added by bobkberg)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Claria Data Submission"; flow: to_server,established; content:"gs_trickler"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/gs_trickler/i"; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2000596; rev:9; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/gd/ne/new.net.gtrg2ze"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; sid: 2001306; rev:5; )

#These are for common names of malcode files as seen in common places.
#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; sid: 2001850; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; sid: 2002093; rev:2; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; sid: 2000514; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000519; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; sid: 2000520; rev:6; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; sid: 2001656; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; sid: 2001657; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001659; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; sid: 2001660; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; sid: 2002012; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; sid: 2002013; rev:2; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000920; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000921; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000922; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000923; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000924; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference:url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; sid: 2000929; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2000925; rev:5; )

#from Shirkdog
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Hotbar Agent Subscription POST"; flow: to_server,established; uricontent:"/hotbar/"; nocase; uricontent:"Subscription.dll?"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; sid: 2002820; rev:1;)  

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; sid: 2001490; rev:6; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002090; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; sid:2002096; rev:4;)

# Following are requests from adware served by iframebiz.biz
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - adv***.php"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/adv"; nocase; pcre:"/adv\d+\.php/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002707; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/sploit.anr"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002708; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/loaderadv"; nocase; pcre:"/loaderadv\d+\.jar/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002709; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET"; depth:3; nocase; uricontent:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; sid:2002710; rev:3;)

# Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001793; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; sid: 2001794; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; sid: 2002015; rev:2; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001308; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Agent Upload"; flow: to_server,established; uricontent:"/conf/xml/"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001336; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; sid: 2001396; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2000927; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2000928; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001395; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001697; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; sid: 2002019; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; sid: 2002016; rev:6; )

#Submitted by Matt Jonkman
alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000900; rev:5; )
#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2000901; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001015; rev:6; )
alert tcp $HOME_NET any -> any any (msg: "BLEEDING-EDGE Malware JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; sid: 2001679; rev:8; )
alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001654; rev:7;)

#Submitted by Jason Haar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; sid: 2000932; rev:3; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; sid: 2001340; rev:7; )


#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001499; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Look2me Spyware Activity (2)"; flow: to_server,established; uricontent:"/cgi-bin/BW.exe"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; sid: 2001502; rev:6; )

#submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2000902; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001359; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:rl,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001563; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; content:"X-OSSProxy-Person-ID\: "; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001564; rev:3; )

#Info from sgtocanada
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001586; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001587; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001588; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001589; rev:4; )

#Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; sid: 2001409; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE Malware Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; sid: 2001410; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; sid: 2001411; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mastermind Related Downloading Daily Executable"; flow: to_server,established; content:"/soft/loads/"; nocase; within: 5; content:".exe"; nocase; classtype: trojan-activity; sid: 2001412; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; sid: 2001413; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; sid: 2001414; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; classtype: trojan-activity; sid: 2001415; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; classtype: trojan-activity; sid: 2001416; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype: trojan-activity; sid: 2001417; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype: trojan-activity; sid: 2001418; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; sid: 2001419; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; sid: 2001420; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; sid: 2001421; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; sid: 2001422; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype: trojan-activity; sid: 2001423; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001503; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001508; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; sid: 2001509; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; sid: 2001507; rev:7;)

#Mark Tombaugh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; sid: 2001783; rev:3; )

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001448; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; sid: 2001481; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; sid: 2001666; rev:2; )
#From listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; sid: 2002309; rev:2; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; sid: 2001641; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag=";  nocase; classtype: trojan-activity; sid: 2001643; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; sid: 2001644; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; sid: 2001645; rev:3; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000583; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000584; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; sid: 2000594; rev:4; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; sid:2002094; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference:url,www.2-spyware.com/parasite-my-search-bar.html; classtype:trojan-activity; sid: 2001040; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms101cfg.jsp?"; nocase; classtype:trojan-activity; sid:2002839; rev:1; )

#Matt Jonkman 2/22/05
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; sid: 2001747; rev:5;)


#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype: policy-violation; sid: 2000600; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (host)"; flow: to_server,established; pcre:"/Host\:[^\n]*[\.\s]myway.com/i"; classtype: policy-violation; threshold:type limit, track by_src, count 2, seconds 360; sid: 2001663; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (Agent)"; flow: to_server,established; content:" MyWay"; nocase; classtype: policy-violation; sid: 2001662; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (bin download)"; flow: to_server,established; uricontent:"/images/mywebsearchbar/"; nocase; uricontent:".bin"; nocase; classtype: policy-violation; sid: 2002819; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (general download)"; flow: to_server,established; uricontent:"/mywebsearchbar/"; nocase; classtype: policy-violation; sid: 2002818; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; uricontent:"/barcfg.jsp?"; nocase; content:"MyWebSearchWB"; nocase; classtype: policy-violation; sid: 2002836; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; sid: 2001538; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; sid: 2001539; rev:6; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference:url,www.offeroptimizer.com; classtype: policy-violation; sid: 2001341; rev:7; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; sid: 2002044; rev:2; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001495; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001496; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; sid: 2001497; rev:3; )

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; classtype: trojan-activity; sid: 2001444; rev:7; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2001459; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; sid: 2002017; rev:4; )

#Matt Jonkman from Spyware Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; sid:2002083; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; sid: 2002194; rev:3; )

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001445; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; sid: 2001446; rev:6; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference:url,popuptraffic.com; classtype: policy-violation; sid: 2000577; rev:6; )

#By Joel Esler
#alert tcp $HOME_NET any -> 216.151.85.195 $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Unknown Suspicious PrintMe Suspected Spyware"; flow: established; content:"PrintMe"; classtype: bad-unknown; sid: 2001665; rev:3; )

# Submitted by John Stewart, 2/23/2005

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Pynix.dll BHO Activity"; flow: established,to_server; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; reference:url,www.pynix.com; classtype: trojan-activity; sid: 2001748; rev:3; )

#Updated by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; classtype: trojan-activity; sid: 2000024; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Rdxrp.com Traffic"; flow: to_server,established; uricontent:"/rdxr020304.dat"; nocase; classtype: trojan-activity; sid: 2001311; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Rdxrp.com Traffic (Generic)"; flow: to_server,established; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype: trojan-activity; sid: 2001312; rev:3; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Regnow.com Access"; flow: to_server,established; uricontent:"/softsell/visitor.cgi?"; nocase; uricontent:"affiliate="; nocase; reference:url,www.regnow.com; classtype: trojan-activity; sid: 2001223; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Regnow.com Gamehouse.com Access"; flow: to_server,established; uricontent:"/affiliates/template.jsp?"; nocase; uricontent:"AID="; nocase; reference:url,www.gamehouse.com; classtype: trojan-activity; sid: 2001224; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Salongas Infection"; flow: to_server,established; uricontent:"/sp.htm?id="; classtype: trojan-activity; sid: 2000601; rev:3; )

#By Matt Jonkman from Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 1"; flow: to_server,established; uricontent:"/rd/Clk.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002296; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 2"; flow: to_server,established; uricontent:"/rd/feed/TextFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002297; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 3"; flow: to_server,established; uricontent:"/rd/feed/XMLFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002298; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 4"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002299; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 5"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeedSE.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002300; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 6"; flow: to_server,established; uricontent:"/rd/SearchResults.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002301; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 7"; flow: to_server,established; uricontent:"/rd/jsp/BidRank/index.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002302; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchfeed.com Spyware 8"; flow: to_server,established; uricontent:"/SFToolBar.html"; reference:url,www.searchfeed.com; classtype: trojan-activity; sid: 2002303; rev:2; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (toolbar)"; flow: to_server,established; uricontent:"/dkprogs/toolbar.txt"; nocase; classtype: trojan-activity; sid: 2001473; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (prog)"; flow: to_server,established; uricontent:"/dkprogs/dktibs.php"; nocase; classtype: trojan-activity; sid: 2001474; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Receiving Commands"; flow: to_server,established; uricontent:"/xpsystem/commands.ini"; nocase; classtype: trojan-activity; sid: 2001475; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (pizdato)"; flow: to_server,established; uricontent:"http\://pizdato.biz"; nocase; classtype: trojan-activity; sid: 2001476; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (coolsearch)"; flow: to_server,established; uricontent:"http\://www.coolsearch.biz"; nocase; classtype: trojan-activity; sid: 2001477; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Affiliate install (newiframe)"; flow: to_server,established; uricontent:"http\://newiframe.biz"; nocase; classtype: trojan-activity; sid: 2001478; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (systime)"; flow: to_server,established; uricontent:"/dkprogs/systime.txt"; nocase; classtype: trojan-activity; sid: 2001480; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (mstask)"; flow: to_server,established; uricontent:"/dkprogs/mstasks3.txt"; nocase; classtype: trojan-activity; sid: 2001483; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmeup Spyware Install (d.exe)"; flow: to_server,established; uricontent:"/x30/d.exe"; nocase; classtype: trojan-activity; sid: 2001484; rev:5; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001540; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".searchmiracle.com"; nocase; within: 35; distance: 1; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; sid: 2001532; rev:8; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; classtype: trojan-activity; sid: 2001533; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; uricontent:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001534; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001535; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install (install)"; flow: to_server,established; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2001744; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Searchmiracle.com Spyware Install -- silent.exe"; flow: to_server,established; uricontent:"/silent.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; sid: 2002091; rev:2; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Relevancy Spyware"; flow: established,to_server; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; sid: 2001696; rev:6; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host\: content.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; sid: 2001650; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host\: results.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; sid: 2001653; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Sexmaniack Install Tracking"; flow: to_server,established; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; classtype: trojan-activity; sid: 2001460; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000580; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; sid: 2000581; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Heartbeat"; flow: established,to_server; uricontent:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2001708; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download (agentprefs)"; flow: established,to_server; uricontent:"/agentprefs"; nocase; content:".sah"; nocase; within: 5; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2001709; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Install"; flow: established,to_server; uricontent:"/arcadecash/setup"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2002037; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Config Download"; flow: established,to_server; uricontent:"/agent"; nocase; uricontent:"/validate"; nocase; content:".sah"; nocase; within: 5; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; sid: 2002043; rev:3; )

#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Shopnav Spyware Install"; flow: to_server,established; uricontent:"/toolbarv3.cgi?UID="; nocase; uricontent:"&version="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; sid: 2002000; rev:3; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet6/servlet/sbinstservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001016; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet6/servlet/sblogservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001017; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Activity"; flow: to_server,established; uricontent:"/servlet6/jsp/mvc"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001018; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Autoupdate"; flow: to_server,established; uricontent:"/autoupd/rel"; nocase; pcre:"/Host\:/sstart\d+.sidestep.com/i"; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001019; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Update Reporting"; flow: to_server,established; uricontent:"/wutrack.bin?PUID="; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2001020; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; uricontent:"/servlet6/servlet/SbStartservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; sid: 2002821; rev:2; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Install rh.exe"; flow: to_server,established; uricontent:"/install/RH/rh.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001505; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Install"; flow: to_server,established; uricontent:"/install/SE/sed.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001516; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Smartpops.com Spyware Update"; flow: to_server,established; uricontent:"/data/spv15.dat?v="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; sid: 2001513; rev:5; )

#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1"; flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase; uricontent:"&uId="; nocase; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002675; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2"; flow: to_server,established; content:"sonymusic.com"; nocase; pcre:"User-Agent\:[^\n]+SecureNet[^\n]+Xtra/i"; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002674; rev:2;)

#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM Related -- CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0; reference:url,www.frsirt.com/english/advisories/2005/2454; reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack; sid:2002679; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM -- Uninstaller CLSID"; flow:from_server,established; content:"CLSID"; nocase; pcre:"/1F1EB85B-0FE9-401D-BC53-10803CF880A7|7965A6FD-B383-4658-A8E0-C78DCF2D0E63|9A60A782-282B-4D69-9B2A-0945D588A125|80E8743E-8AC5-46F1-96A0-59FA30740C51/Ri"; reference:url,www.freedom-to-tinker.com/?p=931; reference:url,www.frsirt.com/english/advisories/2005/2493; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; classtype:web-application-attack; sid:2002680; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg: "BLEEDING-EDGE Malware Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent\: Godzilla"; nocase; classtype: trojan-activity; sid: 2001711; rev:3; )

# Submitted by William Salusky
#
# The following rule has proven useful in detecting unidentified spammer nodes.
# You should tweak the rule header according to your network architecture.
# Thresholding is optional, but without it in my network this sig would
# overwhelm my sensors.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE Spambot Proxy Control Channel"; flow: established; content:"|04010019|"; offset: 0; depth: 4; classtype: trojan-activity; sid: 2001814; rev:4; )

# The following rule assists in the identification of spam when SMTP 220
# responses are seen egressing your network from unusual src ports.
# You may want to consider tagging a number of following packets.

#alert tcp $HOME_NET !21:587 -> any any (msg: "BLEEDING-EDGE Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; classtype: non-standard-protocol; sid: 2001815; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Speedera Agent"; flow: to_server,established; uricontent:"/io/downloads"; nocase; classtype: trojan-activity; sid: 2001320; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Speedera Agent (Specific)"; flow: to_server,established; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype: trojan-activity; sid: 2001321; rev:3; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; uricontent:"/updates/database/dbver.php"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; sid: 2002804; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; uricontent:"/updates/database/dbver.dat"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; sid: 2002805; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; uricontent:"/download.php?sid="; nocase; content:"spyaxe"; nocase; classtype: trojan-activity; sid: 2002806; rev:1; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spygalaxy.ws Activity"; flow: to_server,established; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; classtype: trojan-activity; sid: 2001489; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Install"; flow: to_server,established; uricontent:"/SpySpotterInstall.cab"; nocase; classtype: trojan-activity; sid: 2001536; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyspotter.com Access"; flow: to_server,established; pcre:"/Host\:[^\n]+spyspotter.com/i"; classtype: trojan-activity; sid: 2001537; rev:8; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; sid: 2000587; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SpywareLabs Application Install"; flow: to_server,established; uricontent:"/DistID/BaseInstalls/V"; nocase; content:"User-Agent\:"; nocase; content:"Wise"; within:120; nocase; classtype: trojan-activity; sid: 2001522; rev:6;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyware Stormer Reporting Data"; flow: established,to_server; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; sid: 2001570; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spyware Stormer/Error Guard Activity"; flow: established,to_server; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; sid: 2001571; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Receiving New configuration (update)"; flow: to_server,established; uricontent:"/updatestats/update"; nocase; uricontent:".xml"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001225; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; uricontent:"/updatestats/all_files"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001523; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster Code Download"; flow: to_server,established; uricontent:"/updatestats/"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; sid: 2001524; rev:4; )

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Statblaster.MemoryWatcher Download"; flow: to_server,established; uricontent:"/memorywatcher.exe"; reference:url,www.memorywatcher.com/eula.aspx; classtype: trojan-activity; sid: 2001442; rev:7; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfAssistant.com Spyware Install"; flow: to_server,established; uricontent:"/distribution/questmod-1.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; sid: 2001510; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfAssistant.com Spyware Reporting"; flow: to_server,established; uricontent:"/sa/?a="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; sid: 2001514; rev:6;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity"; flow: established,to_server; uricontent:"/Bundling/SskUpdater"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001731; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Download"; flow: established,to_server; uricontent:"/requestimpression.aspx?ver="; nocase; content:"host="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001992; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Dictionary Download"; flow: established,to_server; uricontent:"/Dictionaries"; nocase; content:".dll"; nocase; within: 10; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001993; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity (ipixel)"; flow: established,to_server; uricontent:"/ipixel.htm?cid="; nocase; content:"&pck_id="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2001994; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SurfSidekick Activity (rinfo)"; flow: established,to_server; uricontent:"/rinfo.htm?"; nocase; uricontent:"host="; nocase; uricontent:"action="; nocase; uricontent:"client=SSK"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; sid: 2002738; rev:1; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; uricontent:"/request/req.cgi?gu="; nocase; uricontent:"&sid="; nocase; uricontent:"&kw="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; sid: 2001997; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; uricontent:"/data/tn.dat?v="; nocase; uricontent:"&sid="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; sid: 2002046; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; uricontent:"/pa/glx.exe"; nocase; classtype: trojan-activity; sid: 2001482; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; uricontent:"/pa/proxyrnd.exe"; nocase; classtype: trojan-activity; sid: 2001485; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; uricontent:"/pr.exe"; nocase; classtype: trojan-activity; sid: 2001486; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Download"; flow: to_server,established; uricontent:"/d4.fcgi?v="; nocase; classtype: trojan-activity; sid: 2001488; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Install (1)"; flow: to_server,established; uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; classtype: trojan-activity; sid: 2001729; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Install (2)"; flow: to_server,established; uricontent:"/tb/loader2.ocx"; nocase; classtype: trojan-activity; sid: 2001734; rev:3; )

#By Matt Jonkman from Spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Tickle.com Spyware"; flow: to_server,established; uricontent:"/forward?sid="; classtype: trojan-activity; reference:url,www.spywareremove.com/removeTickle.html; sid:2002197; rev:1; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Install"; flow: established,to_server; uricontent:"/popengine/POP.CHM"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001886; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Activity (1)"; flow: established,to_server; uricontent:"/adverts/zergio/"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001887; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Activity (2)"; flow: established,to_server; content:"Host\: toolbarpartner.com"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001888; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Jeemp Trojan Download"; flow: established,to_server; uricontent:"/proxyrnd.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001889; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; uricontent:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001890; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001892; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Reporting Install"; flow: established,to_server; uricontent:"/installed.php?wm=Zergio"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001893; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Agent Partner Install"; flow: established,to_server; uricontent:"/inst.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001894; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; uricontent:"/mailz.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001895; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Spywaremover Activity"; flow: to_server,established; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; sid: 2001520; rev:5; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Topconverting Spyware Install"; flow: to_server,established; uricontent:"/activex/weirdontheweb_topc.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002004; rev:4;) 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Topconverting Spyware Reporting"; flow: to_server,established; uricontent:"/trigger.php?partner="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html;  classtype: trojan-activity; sid: 2002040; rev:3; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; classtype: trojan-activity; sid: 2000588; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; sid: 2000589; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; sid: 2000590; rev:5; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com Install (1)"; flow: established,to_server; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001646; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com Install (2)"; flow: established,to_server; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001647; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Toprebates.com User Confirming Membership"; flow: established,to_server; uricontent:"/cgi/account.plx?pid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; sid: 2001648; rev:3; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001334; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2001335; rev:5; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; uricontent:"/install.php?"; nocase; uricontent:"afid="; nocase; uricontent:"&user_id="; content:"trafficsector"; nocase; classtype: policy-violation; sid: 2002736; rev:1; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Add/Remove"; flow: to_server,established; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype: policy-violation; sid: 2001313; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Agent Updating (1)"; flow: to_server,established; uricontent:"/TbLinkConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2001315; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Traffic Syndicate Agent Updating (2)"; flow: to_server,established; uricontent:"/TbInstConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; sid: 2001316; rev:6; )

#by Matt Jonkman, data from the Spyware Listening Post
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Transponder Spyware Activity"; flow:established,to_server; uricontent:"/sendROIcookie.cfm?refer="; nocase; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html; sid:2002320; rev:1;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE UCMore Spyware Reporting"; flow: to_server,established; uricontent:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; sid: 2001995; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; uricontent:"/iis2ucms_getsponsorlinks.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; sid: 2001998; rev:3; )

# Added by Frank Knobbe on 2006-03-12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; depth:4; nocase; uricontent:"/robots.txt"; nocase; pcre:"/Cookie\:\ +x=[0-9]*\;\ +y=[0-9]+/i"; classtype:unknown; sid:2002856; rev:1;)

# These are user agent string from the user agents project:
# http://www.bleedingsnort.com/article.php?story=20050303190103553
# These will hit on traffic generated by spyware agents and installers
#
# The user agent sigs from all types of spyware are consolidated here
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE User-Agent String"; flow:established,to_server; flowbits:isnotset,http.UserAgent; flowbits:noalert; flowbits:set,http.UserAgent; content:"User-Agent\:"; nocase; classtype:string-detect; sid: 2002311; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EXE as User Agent -- Potential Spyware"; flow: established,to_server; flowbits:isset,http.UserAgent; content:"User-Agent\:"; nocase; content:".exe"; within:20;  nocase; classtype: trojan-activity; sid: 2002153; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE 404Search Spyware User Agent"; flow:established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+404search/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001852; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Easy Search Bar Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ESB\(/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001853; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE EZULA Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ezula/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001854; rev:11; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (1)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+FunWebProducts/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; threshold: type limit, count 1, seconds 360, track by_src; sid: 2001855; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Hotbar/i"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001858; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Cool Web Search Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iefeatsl/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001859; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Kontiki Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Kontiki/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001860; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Micro-Gaming Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MGS-Internal-Web-Manager/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001861; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Surf Assistant Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; content:"User-Agent\: ML"; nocase; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001862; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (2)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyTotalSearch/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001863; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Fun Web Products Spyware User Agent (3)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWay/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001864; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MyWebSearch Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWebSearch/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001865; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Smartpops/Mediaload Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+NSISDL/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001866; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Search Engine 2000 Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+searchengine2000\.com/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001867; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE SureSeeker Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+sureseeker\.com/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001868; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sidesearch Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Sidesearch/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001869; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Surfplayer Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001870; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Target Saver Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TSA/i"; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001871; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Visicom Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Visicom Toolbar/i"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,www.bleedingsnort.com/article.php?story=20050303190103553; classtype: trojan-activity; sid: 2001872; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Altnet PeerPoints Manager Traffic"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Peer Points Manager/i"; classtype: policy-violation; sid: 2001640; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Browseraid.com Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Browser Adv/i"; reference:url,www.browseraid.com; classtype: trojan-activity; sid: 2001295; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Activity (1)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Apropos/i"; classtype: trojan-activity; sid: 2001703; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Context Plus Spyware Activity (2)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Envolo/i"; classtype: trojan-activity; sid: 2001706; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Enhance My Search Spyware Activity"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+HelperH/i"; classtype: trojan-activity; sid: 2001746; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Gator Agent Traffic"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Gator/i"; classtype: policy-violation; sid: 2000026; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Internet Optimizer Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IOKernel/i"; classtype: trojan-activity; sid: 2001498; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyApp/i"; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001492; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ISearchTech.com XXXPornToolbar Activity (IST)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IST/"; reference:url,www.isearchtech.com; classtype: trojan-activity; sid: 2001493; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE Malware JoltID Agent New Code Download"; flow: established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PeerEnabler/i"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; sid: 2001652; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware MarketScore.com Spyware User Configuration and Setup Access"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OSSProxy/i"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; sid: 2001562; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Medialoads.com Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"medialoads.com"; nocase; pcre:"/User-Agent\:[^\n]+NSISDL/i"; classtype: trojan-activity; sid: 2001504; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (Bundle)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Bundle/i"; classtype: policy-violation; sid: 2001702; rev:14;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shop at Home Select Spyware Activity (SAH)"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SAH Agent/i"; classtype: policy-violation; sid: 2001707; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Tibsystems Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TIBS/i"; classtype: trojan-activity; sid: 2001487; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Top Converting Agent Activity"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Topconvertingagent/i"; classtype: trojan-activity; sid: 2001732; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Ezula Related Calling Home"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+mez/i"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; sid: 2000586; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware UCMore Spyware Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+UCmore/i"; classtype: trojan-activity; sid: 2001736; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware UCMore Spyware Activity User Agent String"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: EI"; classtype: trojan-activity; sid: 2001996; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Wildtangent Kernel/i"; classtype: trojan-activity; sid: 2001639; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware YourSiteBar Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+istsvc/i"; reference:url,www.ysbweb.com; classtype: trojan-activity; sid: 2001699; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware ToolbarPartner User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: agent"; nocase; classtype: trojan-activity; sid: 2001891; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thnall)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; classtype: trojan-activity; sid: 2002002; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Overpro Spyware User Agent Activity (merong)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MERONG/i"; classtype: trojan-activity; sid: 2002020; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (poller)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: Poller"; nocase; classtype: trojan-activity; sid: 2002005; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (aurareco)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+aurareco\.exe/i"; classtype: trojan-activity; sid: 2002039; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wildmedia Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: update "; nocase; content:!"Antivirus"; within: 9; classtype: trojan-activity; sid: 2002007; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware PeopleonPage Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+OCSLab AutoUpdater/i"; classtype: trojan-activity; sid: 2002011; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (1)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: IEP"; nocase; classtype: trojan-activity; sid: 2002021; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Grandstreet Interactive Spyware User Agent Activity (2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+wupdsnff\.exe/i"; classtype: trojan-activity; sid: 2002014; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Better Internet Spyware User Agent Activity (thin)"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: thin"; nocase; classtype: trojan-activity; sid: 2002035; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Shopathomeselect.com Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WebDownloader/i"; classtype: trojan-activity; sid: 2002038; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware XupiterToolbar Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; classtype: trojan-activity; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; sid: 2002071; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware General Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+thnall1ac\.exe/i"; classtype: trojan-activity; sid: 2002073; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Win32.Stubby Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Stubby/i"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088437; sid: 2002074; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware New.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+New\.net/i"; classtype: trojan-activity; reference:url,www.newdotnet.com; reference:url,www.pcsympathy.com/printout74.html; sid: 2002076; rev:5;)
#disabling, it hits on normal traffic from Windows Media Player, and others. Needs more research
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware IEBar Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iebar/i"; threshold: type limit, track by_src, count 1, seconds 360; classtype: trojan-activity; reference:url,castlecops.com/tk1463-IEBAR_DLL.html; sid: 2002077; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware SideStep Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SideStep/i"; classtype: trojan-activity; sid: 2002078; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MyWaySearch Products Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MyWay/i"; classtype: trojan-activity; sid: 2002079; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE MySearch Products Spyware User Agent"; flow: established,to_server; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+MySearch/i"; classtype: trojan-activity; sid: 2002080; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware IEHelp.net Spyware User Agent Activity"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+firestarter/i"; classtype: trojan-activity; sid: 2002097; rev:4;)

#New from Chris Taylor and the User agents project
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Alexa Search Toolbar"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Alexa Toolbar/i"; reference:url,www.spywareguide.com/product_show.php?id=418; classtype:trojan-activity; sid:2002166; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat Ext/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002160; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (feat2)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Feat2/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002161; rev:5;)
#Disabling, Hits on regular windows update type traffic to sa.windows.com
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE CoolWebSearch Spyware (SCAgent)"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SCAgent/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; classtype:trojan-activity; sid:2002162; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Ezula Update Engine"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\: 3a"; nocase; reference:url,www.spywareguide.com/product_show.php?id=9; classtype:trojan-activity; sid:2002163; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Hotbar Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; classtype:trojan-activity; sid:2002164; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE IESearch Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Windows SR 2\.0/i"; reference:url,www.spywareguide.com/product_show.php?id=982; classtype:trojan-activity; sid:2002165; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE iWon Spyware"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iWonSearchAssistant/i"; reference:url,www.spywareguide.com/product_show.php?id=461; classtype:trojan-activity; sid:2002169; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Possible Spyware -- Wise User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Wise/i"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; classtype:trojan-activity; sid:2002167; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Svcmm Parasite"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+svcmm32\.exe/i"; reference:url,castlecops.com/startuplist-5862.html; reference:url,doxdesk.com/parasite/SvcMM.html; classtype:trojan-activity; sid:2002168; rev:5;)

#by bgallia
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Adwave/MarketScore User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+WTA_/i"; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; classtype:trojan-activity; sid:2002394; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+TPSystem/i"; reference:url,www.miva.com; reference:url,www.findwhat.com; classtype:trojan-activity; sid:2002395; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Miva User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+Travel Update/i"; reference:url,www.miva.com; classtype:trojan-activity; sid:2002396; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Precision Targeting User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+XC_/i"; reference:url,www.precisiontargeting.com; classtype:trojan-activity; sid:2002397; rev:1;)
#Extra content check for snort <2.4.3 doesn't support pure not rules
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DelFin Project User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"User-Agent\:"; nocase; content:!"iTunes/"; pcre:"/User-Agent\:[^\n]+Dpi/i"; reference:url,www.delfinproject.com; classtype:trojan-activity; sid:2002398; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE DelFin Project User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PromulGate/i"; reference:url,www.delfinproject.com; classtype:trojan-activity; sid:2002399; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE TopInstalls User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; content:"Microsoft Internet Explorer"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Web Search User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ST3PS/i"; reference:url,www.websearch.com; classtype:trojan-activity; sid:2002401; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Web Search User Agent 3"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+UtilMind HTTPGet/i"; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; classtype:trojan-activity; sid:2002402; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Context Plus User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+PTS/i"; reference:url,www.contextplus.net; classtype:trojan-activity; sid:2002403; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Movies etc User Agent"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+IOInstall/i"; reference:url,www.movies-etc.com; classtype:trojan-activity; sid:2002404; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Internet Optimizer User Agent 2"; flow: to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+ROGUE/i"; reference:url,www.internet-optimizer.com; classtype:trojan-activity; sid:2002405; rev:1;)

#Bob Grabowsky
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE surfaccuracy Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+SAcc/"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfaccuracy.html; classtype:trojan-activity; sid:2002047; rev:1;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE iDownloadAgent Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+iDownloadAgent/"; classtype:trojan-activity; sid:2002739; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Spyaxe Spyware User Agent"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+spyaxe/"; classtype:trojan-activity; sid:2002807; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Spyaxe Spyware User Agent 2"; flow:to_server,established; flowbits:isset,http.UserAgent; pcre:"/User-Agent\:[^\n]+spywareaxe/"; classtype:trojan-activity; sid:2002808; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000306; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg: "BLEEDING-EDGE Malware Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000307; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2000308; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; uricontent:"/mmdom.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; sid: 2001525; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; reference:url,www.lurhq.com/iframeads.html; classtype: trojan-activity; sid: 2001526; rev:8; )

#by Matt Jonkman from Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; sid:2002348; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; uricontent:"/js.vppimage?key="; nocase; classtype:trojan-activity; sid:2002350; rev:1;)

# Weatherbug - Dale Handy, PE
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug"; flow: to_server,established; uricontent:"WxAlertIsapi"; nocase; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2001235; rev:9; )
#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"weatherbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2001267; rev:12; )
#by M Shirk
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"wxbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; sid: 2002364; rev:2;)

#Submitted by Matt Jonkman, Tweaks by Bob Grabowsky
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE Malware Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001317; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Webhancer Data Post"; flow: to_server,established; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001677; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Webhancer Agent Activity"; flow: to_server,established; content:"Host\:"; nocase; content:"webhancer.com"; within:30; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; sid: 2001678; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Websearch.com Spyware"; flow: to_server,established; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype: trojan-activity; reference:mcafee,131461; sid: 2001325; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; uricontent:"/1/rdgUS10.exe"; nocase; classtype: trojan-activity; reference:mcafee,131461; sid: 2001517; rev:5; )

#Matt Jonkman from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Websponsors.com Spyware"; flow:to_server,established; pcre:"/\/v\/s=\d+\/p=\d+\/j=\d+\//Ui"; classtype:trojan-activity; sid:2002204; rev:1;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; uricontent:"/notifier/config.ini?v="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002036; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; uricontent:"/notifier/updates"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; sid: 2002041; rev:3; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware pool.Westpop.com Spyware Install"; flow: to_server,established; uricontent:"/vcgi/magh/update.cgi?magic="; nocase; classtype: trojan-activity; sid: 2001512; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware pool.Westpop.com Spyware Updates"; flow: to_server,established; uricontent:"/vcgi/new01"; nocase; classtype: trojan-activity; sid: 2001897; rev:2; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000908; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000909; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=clock"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000910; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=weather"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000911; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000912; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000913; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000914; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000915; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=whenusave"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000916; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000917; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000918; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2000919; rev:6; )
#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?program=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; sid: 2001443; rev:4; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Install"; flow: to_server,established; uricontent:"/updatestats/AI_Euro.exe"; nocase; classtype: trojan-activity; reference:mcafee,122249; sid: 2002008; rev:5; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001307; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001309; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001310; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001314; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; sid: 2001322; rev:4; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Windupdates.com Spyware Install"; flow: established,to_server; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; sid: 2001700; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Windupdates.com Spyware Loggin Data"; flow: established,to_server; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; classtype: trojan-activity; sid: 2001701; rev:4; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; uricontent:"/fa/evil.html"; nocase; classtype: trojan-activity; sid: 2001461; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; uricontent:"/fa/?d=get"; nocase; classtype: trojan-activity; sid: 2001462; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http\://xpire.info/i.exe"; nocase; classtype: trojan-activity; sid: 2001463; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; classtype: trojan-activity; sid: 2001464; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; uricontent:"/dl/adv121.php"; nocase; classtype: trojan-activity; sid: 2001466; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; uricontent:"/dl/adv121/x.chm"; nocase; classtype: trojan-activity; sid: 2001467; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; uricontent:"/fa/ied_s7m.chm"; nocase; classtype: trojan-activity; sid: 2001468; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; uricontent:"/fa/x.chm"; nocase; classtype: trojan-activity; sid: 2001469; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; uricontent:"/fa/xpl3.htm"; nocase; classtype: trojan-activity; sid: 2001470; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Spyware Exploit"; flow: to_server,established; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; classtype: trojan-activity; sid: 2001471; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Spyware Install Reporting"; flow: to_server,established; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; classtype: trojan-activity; sid: 2001472; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Install Code Download"; flow: to_server,established; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; classtype: trojan-activity; sid: 2001491; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; classtype: trojan-activity; sid: 2001541; rev:7; )

#Thanks James Ashton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; uricontent:"/img1big.gif"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; sid: 2000336; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; uricontent:"/cgi-bin/yes.pl"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; sid: 2000337; rev:7; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; classtype: trojan-activity; sid: 2001698; rev:3; )

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware yupsearch.com Spyware Install -- protector.exe"; flow: to_server,established; uricontent:"/protector.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; sid: 2002092; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Malware yupsearch.com Spyware Install -- sideb.exe"; flow: to_server,established; uricontent:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; sid: 2002098; rev:2; )

#John Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Adware"; flow: to_server,established; uricontent:"/cl/clientdump"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; sid: 2001947; rev:3; )

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Adware 2"; flow: to_server,established; uricontent:"/cl/clienthost"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; sid: 2002735; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; uricontent:"/instreport"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; sid: 2002737; rev:2; )