##################################################################
## Malware Threat Center (mtc.sri.com) - Wed Feb 22 08:41:17 2012
## SRI International
## The data on this website is the product of ongoing research
## and is for your personal use only.  It is supplied AS IS,
## WITHOUT WARRANTY OF ANY KIND.  Use or reliance on this data
## is at your own risk.  
##################################################################


# -- Inbound Exploit, Inbound: 4209 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:299913; rev:1;)

# -- Egg Download, Outbound: 3738 of 5837, from 09/15 to 02/21
alert tcp  $HOME_NET 1028:1040 -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"GET"; content: "HTTP"; content: ".exe"; depth: 300; classtype: misc-activity; sid:3000003; rev:99; )

# -- Egg Download, Inbound: 3418 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BotHunter Malware Windows executable (PE) sent from remote host";  content: "MZ"; content: "PE|00 00|"; within:250; flow: established; sid:5001684; rev:99;)

# -- Egg Download, Inbound: 3404 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host";  content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;)

# -- Inbound Exploit, Inbound: 3369 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:22466; rev:7;)

# -- Inbound Exploit, Inbound: 2834 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|";  classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:292000032; rev:99; )

# -- Inbound Exploit, Inbound: 2833 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:22000032; rev:6; )

# -- Egg Download, Inbound: 2776 of 5837, from 09/15 to 02/21
alert tcp $EXTERNAL_NET any -> $HOME_NET 1030:1040 (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"Content-Type\: application/x-exe"; depth: 300; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:3000000; rev:99; )

# -- Inbound, Inbound: 1570 of 5837, from 09/15 to 02/21
alert ip [50.0.0.0/8,100.0.0.0/6,104.0.0.0/5,112.0.0.0/6,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:10;)

# -- Outbound Scan, Outbound: 1375 of 5837, from 09/15 to 02/21
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:52123; rev:3;)

# -- Egg Download, Outbound: 1235 of 5837, from 09/15 to 02/21
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET .exe from external source"; content:"|00 01|"; depth:2; content:".exe"; offset:2; nocase; classtype:successful-admin; sid:3001441; rev:1;)

# -- Egg Download, Outbound: 1235 of 5837, from 09/15 to 02/21
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET from external source"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)

# -- Egg Download, Outbound: 1235 of 5837, from 09/15 to 02/21
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)

# -- C&C Channel, Outbound: 664 of 5837, from 09/27 to 02/21
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET WORM Korgo.U Reporting"; flow: to_server,established; uricontent:"/index.php?id="; nocase; uricontent:"cnt="; nocase; uricontent:"&scn="; nocase; uricontent:"&inf="; nocase; uricontent:"&ver="; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; classtype: trojan-activity; sid: 2003070; rev:4;)

# -- Inbound, Inbound: 516 of 5837, from 09/15 to 02/21
alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,46.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:4;)

# -- Egg Download, Outbound: 142 of 5837, from 09/15 to 02/18
alert tcp  $HOME_NET any -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter Scrip-based Windows egg download .exe"; content:"get"; content: "echo"; content: ".exe"; depth: 200; classtype: misc-activity; sid:31000004; rev:99; )

# -- Outbound Scan, Outbound: 113 of 5837, from 09/19 to 02/18
alert tcp $HOME_NET any -> any 445 (msg: "E5[rb] BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; classtype: misc-activity; sid:2001569; rev:11; )

# -- Inbound, Inbound: 85 of 5837, from 09/16 to 02/21
alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:3;)

# -- C&C Channel, Outbound: 83 of 5837, from 09/15 to 02/20
alert tcp $HOME_NET any -> $EXTERNAL_NET 65520 (msg:"E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; classtype:trojan-activity; reference:url,www.bitcrank.net; sid:2003603; rev:2;)

# -- C&C Channel, Inbound: 60 of 5837, from 10/02 to 02/16
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:4;)

# -- Inbound Exploit, Inbound: 59 of 5837, from 09/16 to 02/18
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E2[rb] BLEEDING-EDGE VIRUS W32/Sasser.worm.b -NAI-)"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid:22001056; rev:5; )

# -- Egg Download, Inbound: 42 of 5837, from 09/19 to 02/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 9996 (msg:"E3[rb] ET WORM Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:2000047; rev:4;)

# -- Inbound Exploit, Inbound: 24 of 5837, from 09/15 to 02/20
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:299906; rev:1;)

# -- Inbound Exploit, Inbound: 21 of 5837, from 01/18 to 02/08
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:21390; rev:5;)

# -- Egg Download, Inbound: 20 of 5837, from 01/18 to 01/18
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session; sid:2007726; rev:2;)

# -- Egg Download, Inbound: 20 of 5837, from 01/18 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E3[rb]  BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".exe"; nocase; classtype: misc-activity; sid:3000006; rev:99; )

# -- Inbound Exploit, Inbound: 20 of 5837, from 01/18 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:299998; rev:1;)

# -- Inbound Exploit, Inbound: 16 of 5837, from 01/18 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:23003; rev:4;)

# -- Local Attack Prep, Outbound: 16 of 5837, from 10/13 to 02/09
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:6;)

# -- Outbound, Outbound: 15 of 5837, from 10/02 to 02/09
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; sid:2008124; rev:1;)

# -- C&C Channel, Inbound: 14 of 5837, from 10/02 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:4;)

# -- C&C Channel, Inbound: 10 of 5837, from 10/02 to 01/12
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,is_proto_irc; content:"scan"; pcre:"/[^a-zA-Z0-9\x3A\s]scan/"; classtype: trojan-activity; sid:100000274; rev:2;)

# -- C&C Channel, Inbound: 9 of 5837, from 10/13 to 01/18
alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:7;)

# -- C&C Channel, Inbound: 9 of 5837, from 09/17 to 11/10
alert ip [195.64.140.0/23,195.64.162.0/23,195.66.226.151,200.115.160.0/20,202.124.241.0/24,203.117.0.0/16,203.121.0.0/17,204.251.15.190,206.161.200.34,206.161.200.36] any -> $HOME_NET any (msg:"E4[rb] ET RBN Known Russian Business Network Monitored Domains (4)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406008; rev:43;)

# -- Egg Download, Outbound: 9 of 5837, from 10/26 to 12/24
alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "E3[rb]  BLEEDING-EDGE WORM Possible UPnP Infection - gc.exe download"; flow:to_server,established; uricontent:"/gc.exe"; nocase; classtype:trojan-activity; sid:2002190; rev:2;)

# -- Outbound, Outbound: 7 of 5837, from 10/26 to 12/24
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:3;)

# -- Outbound Scan, Outbound: 4 of 5837, from 10/01 to 02/20
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"E5[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:52466; rev:7;)

# -- Inbound Exploit, Inbound: 3 of 5837, from 11/19 to 02/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003081; rev:3;)

# -- Outbound Scan, Outbound: 3 of 5837, from 10/01 to 12/06
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:52000032; rev:6; )

# -- Outbound Scan, Outbound: 3 of 5837, from 10/01 to 12/06
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|";  classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:592000032; rev:99; )

# -- Egg Download, Inbound: 2 of 5837, from 10/18 to 02/09
alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"E3[rb] ET POLICY PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; flowbits:set,BE.http.binary; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:9;)

# -- Outbound Scan, Outbound: 2 of 5837, from 10/01 to 10/11
alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:599906; rev:1;)

# -- Inbound, Inbound: 2 of 5837, from 02/16 to 02/18
alert tcp [66.55.160.0/19,66.78.0.0/18,67.213.128.0/20,69.50.160.0/19,69.8.176.0/20,78.95.128.0/20,79.142.144.0/21,79.142.152.0/21,81.17.16.0/20,81.29.240.0/20,81.95.144.0/20,83.223.224.0/19,83.223.240.0/22,85.255.112.0/20,86.105.230.0/24,86.111.128.0/19,86.59.128.0/17,86.59.160.0/19,88.206.0.0/17,88.206.64.0/20,88.206.8.0/21,88.206.80.0/20,89.145.128.0/20,89.187.192.0/19,89.208.122.0/23,89.233.64.0/18,89.35.0.0/23,91.146.112.0/20,91.146.64.0/18,91.193.152.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2400003; rev:1146;)

# -- C&C Channel, Inbound: 1 of 5837, from 10/18 to 10/18
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] COMMUNITY BOT GTBot ver command"; flow: established; flowbits:isset,is_proto_irc; content:"ver"; pcre:"/[^a-zA-Z0-9\x3A\s]ver/"; classtype: trojan-activity; sid:100000272; rev:2;)

# -- Inbound Exploit, Inbound: 1 of 5837, from 02/08 to 02/08
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] BLEEDING-EDGE EXPLOIT x86 PexFnstenvMov/Sub Encoder"; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; sid:22002903; rev:1;)

# -- C&C Channel, Inbound: 1 of 5837, from 10/29 to 10/29
alert ip [67.55.81.0/24,68.178.232.100,69.20.117.228,69.20.68.36,69.22.162.0/23,69.22.168.0/21,69.22.184.0/22,69.31.128.2,69.31.40.0/21,69.31.64.0/20] any -> $HOME_NET any (msg:"E4[rb] ET rbN Known Russian Business Network Monitored Domains (18)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406022; rev:43;)

# -- Inbound, Inbound: 1 of 5837, from 10/18 to 10/18
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET P2P iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; classtype: trojan-activity; reference:url,iroffer.org; sid: 2000339; rev:4;)

# -- Outbound, Outbound: 1 of 5837, from 11/13 to 11/13
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EXE as User Agent - Potential Malware"; flow: established,to_server; content:"User-Agent\:"; nocase; content:".exe"; within:30; nocase; classtype: trojan-activity; sid: 2002153; rev:7;)

# -- Outbound Scan, Outbound: 1 of 5837, from 12/06 to 12/06
alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:599913; rev:1;)

# -- Inbound Exploit, Inbound: 1 of 5837, from 01/10 to 01/10
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2538; rev:15;)