##################################################################
## Malware Threat Center (mtc.sri.com) - Tue Jun 19 08:57:54 2012
## SRI International
## The data on this website is the product of ongoing research
## and is for your personal use only.  It is supplied AS IS,
## WITHOUT WARRANTY OF ANY KIND.  Use or reliance on this data
## is at your own risk.  
##################################################################


# -- Inbound Exploit, Inbound: 4649 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:299913; rev:1;)

# -- Egg Download, Inbound: 3946 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host";  content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;)

# -- Egg Download, Inbound: 3942 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BotHunter Malware Windows executable (PE) sent from remote host";  content: "MZ"; content: "PE|00 00|"; within:250; flow: established; sid:5001684; rev:99;)

# -- Inbound Exploit, Inbound: 3677 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:22466; rev:7;)

# -- Egg Download, Outbound: 3615 of 5868, from 01/11 to 06/18
alert tcp  $HOME_NET 1028:1040 -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"GET"; content: "HTTP"; content: ".exe"; depth: 300; classtype: misc-activity; sid:3000003; rev:99; )

# -- Inbound Exploit, Inbound: 3251 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|";  classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:292000032; rev:99; )

# -- Inbound Exploit, Inbound: 3250 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:22000032; rev:6; )

# -- Egg Download, Inbound: 3186 of 5868, from 01/11 to 06/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 1030:1040 (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"Content-Type\: application/x-exe"; depth: 300; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:3000000; rev:99; )

# -- Outbound Scan, Outbound: 1657 of 5868, from 01/11 to 06/18
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:52123; rev:3;)

# -- Inbound, Inbound: 1464 of 5868, from 01/11 to 06/18
alert ip [50.0.0.0/8,100.0.0.0/6,104.0.0.0/5,112.0.0.0/6,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:10;)

# -- Egg Download, Outbound: 1286 of 5868, from 01/11 to 06/18
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET .exe from external source"; content:"|00 01|"; depth:2; content:".exe"; offset:2; nocase; classtype:successful-admin; sid:3001441; rev:1;)

# -- Egg Download, Outbound: 1286 of 5868, from 01/11 to 06/18
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET from external source"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)

# -- Egg Download, Outbound: 1286 of 5868, from 01/11 to 06/18
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)

# -- C&C Channel, Outbound: 965 of 5868, from 01/11 to 06/18
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET WORM Korgo.U Reporting"; flow: to_server,established; uricontent:"/index.php?id="; nocase; uricontent:"cnt="; nocase; uricontent:"&scn="; nocase; uricontent:"&inf="; nocase; uricontent:"&ver="; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; classtype: trojan-activity; sid: 2003070; rev:4;)

# -- Inbound, Inbound: 673 of 5868, from 01/11 to 06/18
alert ip [0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,42.0.0.0/8,46.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002749; rev:4;)

# -- Egg Download, Outbound: 375 of 5868, from 01/12 to 06/18
alert tcp  $HOME_NET any -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter Scrip-based Windows egg download .exe"; content:"get"; content: "echo"; content: ".exe"; depth: 200; classtype: misc-activity; sid:31000004; rev:99; )

# -- Local Attack Prep, Outbound: 139 of 5868, from 01/18 to 04/30
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:6;)

# -- C&C Channel, Inbound: 100 of 5868, from 01/18 to 04/30
alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:7;)

# -- C&C Channel, Inbound: 82 of 5868, from 01/18 to 03/10
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:4;)

# -- Inbound, Inbound: 77 of 5868, from 01/12 to 06/14
alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 3"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:3;)

# -- Outbound Scan, Outbound: 75 of 5868, from 01/12 to 06/06
alert tcp $HOME_NET any -> any 445 (msg: "E5[rb] BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; classtype: misc-activity; sid:2001569; rev:11; )

# -- C&C Channel, Outbound: 74 of 5868, from 01/11 to 06/15
alert tcp $HOME_NET any -> $EXTERNAL_NET 65520 (msg:"E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; classtype:trojan-activity; reference:url,www.bitcrank.net; sid:2003603; rev:2;)

# -- Inbound Exploit, Inbound: 45 of 5868, from 01/12 to 06/16
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E2[rb] BLEEDING-EDGE VIRUS W32/Sasser.worm.b -NAI-)"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid:22001056; rev:5; )

# -- Inbound Exploit, Inbound: 45 of 5868, from 01/18 to 05/07
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:21390; rev:5;)

# -- Inbound Exploit, Inbound: 43 of 5868, from 01/18 to 05/07
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:299998; rev:1;)

# -- Egg Download, Inbound: 41 of 5868, from 01/12 to 06/16
alert tcp $EXTERNAL_NET any -> $HOME_NET 9996 (msg:"E3[rb] ET WORM Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:2000047; rev:4;)

# -- Egg Download, Inbound: 23 of 5868, from 04/30 to 05/07
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E3[rb]  BotHunter MALWARE executable upload"; flow:established,to_server;  content:"ftp"; content: "echo"; content: ".com"; nocase; classtype: misc-activity; sid:3000005; rev:99; )

# -- Egg Download, Inbound: 20 of 5868, from 01/18 to 01/18
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session; sid:2007726; rev:2;)

# -- Egg Download, Inbound: 20 of 5868, from 01/18 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E3[rb]  BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".exe"; nocase; classtype: misc-activity; sid:3000006; rev:99; )

# -- Inbound, Inbound: 17 of 5868, from 02/16 to 04/24
alert tcp [66.55.160.0/19,66.78.0.0/18,67.213.128.0/20,69.50.160.0/19,69.8.176.0/20,78.95.128.0/20,79.142.144.0/21,79.142.152.0/21,81.17.16.0/20,81.29.240.0/20,81.95.144.0/20,83.223.224.0/19,83.223.240.0/22,85.255.112.0/20,86.105.230.0/24,86.111.128.0/19,86.59.128.0/17,86.59.160.0/19,88.206.0.0/17,88.206.64.0/20,88.206.8.0/21,88.206.80.0/20,89.145.128.0/20,89.187.192.0/19,89.208.122.0/23,89.233.64.0/18,89.35.0.0/23,91.146.112.0/20,91.146.64.0/18,91.193.152.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound"; flow:established; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2400003; rev:1146;)

# -- Inbound Exploit, Inbound: 16 of 5868, from 01/18 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:23003; rev:4;)

# -- Inbound Exploit, Inbound: 16 of 5868, from 01/13 to 06/18
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:299906; rev:1;)

# -- Egg Download, Inbound: 11 of 5868, from 02/09 to 06/08
alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"E3[rb] ET POLICY PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; flowbits:set,BE.http.binary; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:9;)

# -- Outbound Scan, Outbound: 9 of 5868, from 02/20 to 04/10
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"E5[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:52466; rev:7;)

# -- Outbound, Outbound: 6 of 5868, from 01/12 to 02/09
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; sid:2008124; rev:1;)

# -- C&C Channel, Inbound: 5 of 5868, from 01/12 to 01/18
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:4;)

# -- Inbound Exploit, Inbound: 5 of 5868, from 03/24 to 06/08
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2538; rev:15;)

# -- Outbound Scan, Outbound: 4 of 5868, from 03/03 to 03/30
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:52000032; rev:6; )

# -- Outbound Scan, Outbound: 4 of 5868, from 03/03 to 03/30
alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:599906; rev:1;)

# -- Outbound Scan, Outbound: 4 of 5868, from 03/03 to 03/30
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|";  classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:592000032; rev:99; )

# -- Inbound, Inbound: 3 of 5868, from 06/04 to 06/04
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS"; fragbits: !D; dsize: 0; flags: S,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000537; rev:4;)

# -- Inbound, Inbound: 3 of 5868, from 06/04 to 06/04
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sS"; fragbits: !M; dsize: 0; flags: S,12; ack: 0; window: 2048; reference:arachnids,162; classtype: attempted-recon; sid: 2000545; rev:4;)

# -- Inbound Exploit, Inbound: 2 of 5868, from 02/18 to 03/07
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003081; rev:3;)

# -- Inbound Exploit, Inbound: 2 of 5868, from 02/08 to 03/15
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] BLEEDING-EDGE EXPLOIT x86 PexFnstenvMov/Sub Encoder"; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; sid:22002903; rev:1;)

# -- Outbound, Outbound: 1 of 5868, from 06/15 to 06/15
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003310; rev:2;)

# -- C&C Channel, Inbound: 1 of 5868, from 01/12 to 01/12
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,is_proto_irc; content:"scan"; pcre:"/[^a-zA-Z0-9\x3A\s]scan/"; classtype: trojan-activity; sid:100000274; rev:2;)

# -- Outbound, Outbound: 1 of 5868, from 05/06 to 05/06
alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg: "E5[rb] BLEEDING-EDGE WORM Potential MySQL bot scanning for SQL server"; flags: S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; sid:2001689; rev:5; )

# -- C&C Channel, Inbound: 1 of 5868, from 04/25 to 04/25
alert ip [67.55.81.0/24,68.178.232.100,69.20.117.228,69.20.68.36,69.22.162.0/23,69.22.168.0/21,69.22.184.0/22,69.31.128.2,69.31.40.0/21,69.31.64.0/20] any -> $HOME_NET any (msg:"E4[rb] ET rbN Known Russian Business Network Monitored Domains (18)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406022; rev:43;)

# -- Outbound, Outbound: 1 of 5868, from 06/15 to 06/15
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; classtype:policy-violation; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; sid:2003317; rev:2;)

# -- C&C Channel, Outbound: 1 of 5868, from 03/25 to 03/25
alert ip $HOME_NET any -> [64.85.162.141,64.85.162.207,64.86.133.165,64.86.25.248,64.89.27.36,65.110.62.93,65.111.168.18,65.23.153.98,65.23.154.122,65.23.154.67,65.23.156.37,65.40.27.109,66.111.35.104,66.111.36.61,66.111.37.204,66.128.48.195,66.160.135.21,66.165.177.88,66.187.148.247,66.195.252.5,66.198.80.67,66.207.164.29,66.212.28.20,66.220.1.52,66.220.1.66,66.225.200.20,66.225.200.30,66.225.200.93,66.225.223.109,66.225.223.112,66.225.223.115,66.225.223.52,66.225.223.70,66.225.225.225,66.225.225.66,66.235.214.116,66.240.234.77,66.246.149.4,66.249.137.137,66.252.1.106,66.252.1.109,66.252.1.203,66.252.1.210,66.252.1.222,66.252.10.100,66.252.10.213,66.252.10.217,66.252.10.234,66.252.11.76,66.252.11.9,66.252.12.48,66.252.12.51,66.252.12.52,66.252.12.53,66.252.12.54,66.252.12.55,66.252.13.152,66.252.13.153,66.252.13.166,66.252.13.167] any (msg:"E4[rb] ET DROP Known Bot C&C Server Traffic (group 10) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404009; rev:1142;)