##################################################################
## Malware Threat Center (mtc.sri.com) - Sun Sep 7 08:36:28 2008
## SRI International
## The data on this website is the product of ongoing research
## and is for your personal use only. It is supplied AS IS,
## WITHOUT WARRANTY OF ANY KIND. Use or reliance on this data
## is at your own risk.
##################################################################
# -- Inbound Exploit, Inbound: 9694 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:299913; rev:1;)
# -- Egg Download, Inbound: 9432 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BotHunter Malware Windows executable (PE) sent from remote host"; content: "MZ"; content: "PE|00 00|"; within:250; flow: established; sid:5001684; rev:99;)
# -- Inbound Exploit, Inbound: 8620 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:22466; rev:7;)
# -- Outbound Scan, Outbound: 7563 of 20807, from 03/31 to 08/12
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:52123; rev:3;)
# -- Inbound Exploit, Inbound: 7422 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|"; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:292000032; rev:99; )
# -- Inbound Exploit, Inbound: 7398 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:22000032; rev:6; )
# -- Egg Download, Inbound: 6747 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host"; content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;)
# -- Inbound Exploit, Inbound: 5239 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:299998; rev:1;)
# -- Inbound Exploit, Inbound: 5239 of 20807, from 03/31 to 08/12
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:21390; rev:5;)
# -- Egg Download, Inbound: 3865 of 20807, from 04/02 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".exe"; nocase; classtype: misc-activity; sid:3000006; rev:99; )
# -- Egg Download, Outbound: 3406 of 20807, from 03/31 to 08/12
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET .exe from external source"; content:"|00 01|"; depth:2; content:".exe"; offset:2; nocase; classtype:successful-admin; sid:3001441; rev:1;)
# -- Egg Download, Outbound: 3406 of 20807, from 03/31 to 08/12
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET from external source"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
# -- Egg Download, Outbound: 3406 of 20807, from 03/31 to 08/12
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)
# -- Egg Download, Outbound: 3398 of 20807, from 03/31 to 08/12
alert tcp $HOME_NET 1028:1040 -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"GET"; content: "HTTP"; content: ".exe"; depth: 300; classtype: misc-activity; sid:3000003; rev:99; )
# -- Egg Download, Inbound: 3016 of 20807, from 04/03 to 08/11
alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"E3[rb] ET POLICY PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; flowbits:set,BE.http.binary; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:9;)
# -- Egg Download, Inbound: 2765 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 1030:1040 (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"Content-Type\: application/x-exe"; depth: 300; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:3000000; rev:99; )
# -- Inbound Exploit, Inbound: 2595 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:299906; rev:1;)
# -- Egg Download, Outbound: 2493 of 20807, from 03/31 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter Scrip-based Windows egg download .exe"; content:"get"; content: "echo"; content: ".exe"; depth: 200; classtype: misc-activity; sid:31000004; rev:99; )
# -- Local Attack Prep, Outbound: 1984 of 20807, from 03/31 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; threshold: type limit, track by_src, seconds 120, count 1; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:6;)
# -- C&C Channel, Outbound: 1657 of 20807, from 04/27 to 05/12
alert ip $HOME_NET any -> [211.172.225.77,211.236.177.219,211.38.195.154,211.95.79.246,211.96.97.44,212.101.123.10,212.101.123.11,212.101.123.12,212.101.123.4,212.101.123.5,212.101.123.6,212.101.123.7,212.101.123.8,212.101.123.9,212.105.98.2,212.116.66.12,212.160.132.51,212.178.133.174,212.36.0.70,212.40.5.191,212.6.106.76,212.69.128.38,212.71.19.100,212.73.209.227,212.91.161.18,213.113.61.173,213.114.43.86,213.131.156.50,213.131.156.51,213.146.63.33,213.180.86.97,213.195.77.224,213.198.106.64,213.201.226.5,213.202.224.142,213.202.245.12,213.202.245.127,213.202.247.105,213.206.94.195,213.215.31.19,213.219.225.1,213.228.140.7,213.236.208.178,213.239.131.28,213.244.180.180,213.247.51.21,213.247.61.130,213.248.53.3,213.248.60.142,213.251.160.26,213.48.150.3,213.48.150.5,213.53.107.38,213.92.85.209,216.12.208.217,216.129.110.6,216.147.161.118,216.150.78.210,216.151.159.42,216.152.66.62] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 6) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404005; rev:1142;)
# -- Inbound Exploit, Inbound: 1359 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:23003; rev:4;)
# -- C&C Channel, Inbound: 987 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET TROJAN BOT - channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow: to_client,established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within: 40; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; classtype: trojan-activity; sid: 2002029; rev:7;)
# -- Egg Download, Inbound: 611 of 20807, from 03/31 to 08/11
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".com"; nocase; classtype: misc-activity; sid:3000007; rev:99; )
# -- Egg Download, Inbound: 609 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 9996 (msg:"E3[rb] ET WORM Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:2000047; rev:4;)
# -- Inbound Exploit, Inbound: 604 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E2[rb] BLEEDING-EDGE VIRUS W32/Sasser.worm.b -NAI-)"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid:22001056; rev:5; )
# -- C&C Channel, Inbound: 563 of 20807, from 03/31 to 08/11
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:4;)
# -- C&C Channel, Inbound: 556 of 20807, from 03/31 to 08/12
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:4;)
# -- C&C Channel, Outbound: 497 of 20807, from 03/31 to 08/11
alert ip $HOME_NET any -> [69.145.2.88,69.16.172.2,69.16.172.40,69.18.206.194,69.20.226.82,69.20.231.81,69.213.57.174,69.28.194.5,69.30.232.148,69.31.131.54,69.36.111.69,69.39.226.10,69.39.226.38,69.39.226.69,69.42.209.227,69.42.209.228,69.42.209.229,69.42.209.230,69.42.209.231,69.42.209.232,69.42.209.233,69.42.211.121,69.42.211.5,69.42.211.84,69.42.213.82,69.42.214.111,69.42.215.116,69.42.215.35,69.42.215.45,69.42.215.46,69.42.215.50,69.42.215.66,69.42.215.7,69.42.215.81,69.42.215.90,69.42.215.96,69.42.216.120,69.42.216.123,69.42.216.125,69.42.216.126,69.42.216.90,69.42.219.194,69.42.219.44,69.42.219.49,69.42.221.115,69.42.223.148,69.42.69.186,69.42.74.177,69.46.228.170,69.46.228.172,69.46.228.174,69.46.228.179,69.46.228.183,69.46.228.189,69.50.185.182,69.50.185.184,69.50.185.186,69.50.185.238,69.50.208.3,69.50.209.31] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 13) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404012; rev:1142;)
# -- Egg Download, Inbound: 483 of 20807, from 05/06 to 08/02
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".exe"; nocase; classtype: misc-activity; sid:32000004; rev:99; )
# -- C&C Channel, Outbound: 417 of 20807, from 03/31 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET 65520 (msg:"E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; classtype:trojan-activity; reference:url,www.bitcrank.net; sid:2003603; rev:2;)
# -- C&C Channel, Outbound: 389 of 20807, from 04/01 to 06/03
alert ip $HOME_NET any -> [83.170.81.9,83.170.82.215,83.176.253.194,83.2.83.1,83.216.238.10,83.217.192.243,83.227.140.135,83.228.101.106,83.23.81.101,83.239.161.45,83.243.46.2,83.246.72.49,83.25.219.246,83.3.229.206,84.16.231.52,84.16.234.164,84.16.240.155,84.19.172.222,84.19.172.226,84.19.172.229,84.19.172.235,84.19.178.116,84.19.179.116,84.19.180.62,84.200.225.101,84.200.225.80,84.200.32.209,84.200.32.23,84.238.163.129,84.244.1.59,84.244.17.171,84.244.19.254,84.244.9.126,84.250.52.226,84.33.33.33,84.36.34.210,84.40.155.152,85.10.203.211,85.114.132.94,85.114.137.60,85.119.158.77,85.12.25.160,85.12.25.161,85.12.32.144,85.12.32.145,85.13.255.172,85.14.216.215,85.14.218.3,85.14.218.4,85.14.221.189,85.17.141.80,85.17.52.66,85.17.6.30,85.18.250.2,85.187.125.75,85.194.148.35,85.196.81.211,85.204.80.3,85.21.79.12,85.21.82.50] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 18) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404017; rev:1142;)
# -- Egg Download, Inbound: 380 of 20807, from 04/02 to 08/11
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session; sid:2007726; rev:2;)
# -- C&C Channel, Outbound: 379 of 20807, from 04/01 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET WORM Korgo.U Reporting"; flow: to_server,established; uricontent:"/index.php?id="; nocase; uricontent:"cnt="; nocase; uricontent:"&scn="; nocase; uricontent:"&inf="; nocase; uricontent:"&ver="; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; classtype: trojan-activity; sid: 2003070; rev:4;)
# -- C&C Channel, Inbound: 306 of 20807, from 04/01 to 08/12
alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:7;)
# -- Outbound Scan, Outbound: 247 of 20807, from 04/01 to 08/12
alert tcp $HOME_NET any -> any 445 (msg: "E5[rb] BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; classtype: misc-activity; sid:2001569; rev:11; )
# -- C&C Channel, Inbound: 224 of 20807, from 03/31 to 07/26
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan"; flow: established; flowbits:isset,is_proto_irc; content:"|2E|advscan|20|"; nocase; reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_rbOT.GL; reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning; classtype: trojan-activity; sid:2001184; rev:5; )
# -- Egg Download, Inbound: 166 of 20807, from 04/21 to 08/03
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".com"; nocase; classtype: misc-activity; sid:3000005; rev:99; )
# -- C&C Channel, Outbound: 161 of 20807, from 06/27 to 08/12
alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg: "E4[rb] BLEEDING-EDGE VIRUS Bot Reporting Scan/Exploit"; flow: to_server,established; content:"PRIVMSG"; nocase; within: 80; tag: session, 20, packets; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; classtype: trojan-activity; sid:2001584; rev:6; )
# -- C&C Channel, Outbound: 155 of 20807, from 06/25 to 08/03
alert ip $HOME_NET any -> [63.173.172.98,63.243.153.235,63.243.153.237,63.243.153.238,63.243.153.239,63.245.208.159,64.12.165.56,64.124.16.118,64.124.16.119,64.124.16.122,64.127.41.29,64.127.41.30,64.13.222.135,64.13.230.162,64.132.62.107,64.16.210.102,64.161.254.20,64.161.255.2,64.179.90.55,64.179.90.59,64.18.128.86,64.18.131.116,64.18.138.115,64.18.139.82,64.18.140.158,64.18.143.113,64.18.145.206,64.18.145.215,64.18.151.101,64.18.151.106,64.18.151.71,64.18.151.73,64.18.151.86,64.18.151.94,64.191.136.108,64.22.109.78,64.237.34.150,64.251.15.82,64.32.13.142,64.32.13.171,64.32.14.2,64.32.14.20,64.32.14.48,64.32.14.83,64.32.16.249,64.32.29.103,64.32.31.225,64.32.31.239,64.32.8.70,64.34.166.236,64.34.193.234,64.34.203.207,64.40.146.188,64.62.194.62,64.62.231.240,64.72.117.181,64.72.126.222,64.74.125.21,64.85.160.108,64.85.160.30] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 9) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404008; rev:1142;)
# -- Outbound, Outbound: 152 of 20807, from 05/30 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET MALWARE Suspicious User Agent - Likely Webhancer Related Spyware (TEST)"; flow:to_server,established; content:"User-Agent\: TEST|0d 0a|"; classtype:trojan-activity; sid:2006357; rev:2;)
# -- C&C Channel, Outbound: 118 of 20807, from 03/31 to 08/12
alert ip $HOME_NET any -> [69.60.110.195,69.61.67.10,69.63.215.163,69.64.35.127,69.64.39.194,69.64.39.201,69.64.39.202,69.64.40.83,69.64.47.44,69.64.48.105,69.64.48.65,69.64.51.176,69.64.51.225,69.64.59.238,69.65.97.206,69.93.184.186,69.93.229.206,69.93.9.12,70.101.149.111,70.168.231.17,70.84.72.111,70.84.72.115,70.85.129.195,70.85.129.223,70.85.174.226,70.85.222.107,70.85.31.213,70.87.44.114,71.114.216.227,71.216.87.193,71.6.216.17,71.6.216.18,71.6.216.26,71.6.216.33,71.6.216.6,71.6.216.66,71.6.216.67,71.6.216.75,71.87.221.229,71.98.250.72,72.10.163.130,72.10.163.194,72.10.163.252,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214,72.10.172.218,72.11.142.40,72.131.59.27,72.174.8.243,72.20.1.162,72.20.14.161,72.20.14.162,72.20.15.196,72.20.15.208,72.20.15.219,72.20.15.222,72.20.15.224] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 14) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404013; rev:1142;)
# -- Egg Download, Outbound: 113 of 20807, from 04/03 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E3[rb] ET TROJAN General Downloader Checkin URL (GUID+)"; flow:established,to_server; uricontent:"&version="; nocase; uricontent:"&configversion="; nocase; uricontent:"GUID="; nocase; uricontent:"&cmd="; nocase; uricontent:"&p="; nocase; uricontent:"&i="; nocase; uricontent:"&x="; nocase; classtype:trojan-activity; sid:2007577; rev:2;)
# -- Outbound, Outbound: 86 of 20807, from 07/06 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"E4[rb] ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; sid:2008124; rev:1;)
# -- C&C Channel, Outbound: 73 of 20807, from 04/06 to 08/10
alert ip $HOME_NET any -> [66.45.234.200,66.54.153.162,66.63.172.154,66.7.192.11,66.90.99.148,66.96.240.201,67.106.205.73,67.109.160.112,67.118.192.228,67.132.247.119,67.159.0.243,67.159.0.251,67.159.0.254,67.159.17.231,67.159.24.190,67.159.26.180,67.18.136.5,67.18.176.176,67.18.176.40,67.18.208.91,67.18.208.96,67.19.130.66,67.19.147.202,67.19.184.20,67.19.238.44,67.19.246.130,67.19.50.66,67.19.93.226,67.205.77.231,67.210.225.202,67.220.66.105,67.225.131.201,67.228.103.248,67.228.162.65,67.228.42.241,67.228.99.245,67.43.226.186,67.43.229.46,67.43.232.34,67.43.232.35,67.43.232.36,67.43.232.37,67.43.232.38,67.43.233.64,67.43.235.214,67.43.236.106,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.237.230,67.80.40.117,68.186.222.72,68.43.158.36,68.44.4.190,68.75.207.189,68.84.56.61,69.107.7.194,69.14.233.99,69.142.26.223] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 12) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404011; rev:1142;)
# -- C&C Channel, Inbound: 37 of 20807, from 04/12 to 08/11
alert ip $HOME_NET any -> [67.19.24.172,67.19.24.173,67.19.24.174,67.19.24.175,67.19.51.0/24,67.19.72.202,67.19.72.205,67.19.72.206,67.43.236.0/24,67.55.64.0/19] any (msg:"E8[rb] ET rbN Known Russian Business Network Monitored Domains (17)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406021; rev:43;)
# -- Outbound, Outbound: 31 of 20807, from 06/28 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SpeedRunner|0d 0a|"; classtype:trojan-activity; sid:2008146; rev:1;)
# -- Inbound Scan, Inbound: 30 of 20807, from 04/07 to 05/23
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"E1[rb] ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; sid:2003294; rev:5;)
# -- Inbound, Inbound: 22 of 20807, from 07/23 to 08/11
alert ip [50.0.0.0/8,100.0.0.0/6,104.0.0.0/5,112.0.0.0/6,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:10;)
# -- Inbound Scan, Inbound: 19 of 20807, from 04/07 to 05/01
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"E1[rb] ET SCAN Potential VNC Scan 5900-5920"; flags:S; threshold: type threshold, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2002911; rev:2;)
# -- C&C Channel, Inbound: 16 of 20807, from 04/22 to 07/19
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"E4[rb] ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; classtype:trojan-activity; sid:2002809; rev:3;)
# -- Inbound Exploit, Inbound: 15 of 20807, from 05/21 to 07/29
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003081; rev:3;)
# -- Outbound, Outbound: 15 of 20807, from 05/30 to 08/08
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader or Virut C&C Ack"; flow:established,to_server; uricontent:"uid="; nocase; uricontent:"&version="; nocase; uricontent:"&actionname="; nocase; uricontent:"&action="; nocase; uricontent:"&success="; nocase; uricontent:"&debug="; nocase; uricontent:"&nocache="; nocase; classtype:trojan-activity; sid:2007587; rev:2;)
# -- C&C Channel, Outbound: 14 of 20807, from 05/02 to 08/04
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET MALWARE Debelizombi.com Spyware User Agent (blahrx)"; flow:established,to_server; content:"User-Agent\: blahrx"; classtype:trojan-activity; sid:2006778; rev:2;)
# -- Outbound Scan, Outbound: 14 of 20807, from 04/12 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"E5[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:52466; rev:7;)
# -- C&C Channel, Inbound: 14 of 20807, from 04/12 to 06/14
alert ip $HOME_NET any -> [81.95.149.171,81.95.149.178,81.95.149.181,81.95.149.27,81.95.153.243,81.95.154.41,81.95.156.0/22,82.114.64.251,82.146.56.140,82.98.86.170] any (msg:"E8[rb] ET rbN Known Russian Business Network Monitored Domains (28)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406032; rev:43;)
# -- Outbound Scan, Outbound: 13 of 20807, from 04/12 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:599913; rev:1;)
# -- Outbound Scan, Outbound: 13 of 20807, from 04/12 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|"; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:592000032; rev:99; )
# -- Outbound Scan, Outbound: 12 of 20807, from 04/12 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:52000032; rev:6; )
# -- C&C Channel, Outbound: 10 of 20807, from 06/14 to 08/05
alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg: "E4[rb] BLEEDING-EDGE WORM perlb0t Bot Reporting Scan/Exploit"; flow: to_server,established; content:"PRIVMSG|20|"; nocase; within: 80; pcre:"/(GOOGLE|HTTP|TCP|SCAN|UDP|VERSION)/i"; within:16; pcre:"/(Exploiting|Exploited|Attacking|Scanning|perlb0t)/i"; classtype: trojan-activity; sid:2002930; rev:1;)
# -- Inbound Exploit, Inbound: 10 of 20807, from 06/26 to 08/04
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] BLEEDING-EDGE EXPLOIT x86 PexFnstenvMov/Sub Encoder"; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; sid:22002903; rev:1;)
# -- C&C Channel, Outbound: 9 of 20807, from 04/12 to 05/23
alert ip $HOME_NET any -> [72.8.130.117,72.8.131.236,72.8.134.164,72.8.134.178,72.8.137.250,72.9.151.125,74.0.229.221,74.200.209.34,74.208.66.154,74.32.100.91,74.38.121.164,74.41.18.106,74.52.31.26,74.52.7.109,74.53.228.243,74.53.228.245,74.53.228.246,74.53.70.115,74.7.18.109,74.86.54.247,75.12.103.70,75.125.196.222,75.125.46.153,75.126.8.199,75.126.8.202,75.126.8.203,75.126.8.205,75.126.8.206,75.126.8.207,75.127.96.88,75.127.97.117,75.148.42.227,75.40.105.97,76.101.29.57,76.114.148.132,76.191.102.169,76.76.11.208,76.76.4.185,76.76.9.134,77.239.185.205,77.30.127.211,77.74.195.195,77.78.193.50,78.109.23.168,78.111.98.51,78.111.98.52,78.111.98.53,78.111.98.54,78.111.98.55,78.111.98.56,78.111.98.57,78.29.0.253,78.31.71.67,78.85.33.175,79.135.185.106,79.135.185.108,79.135.185.75,8.12.40.109,8.17.85.123,8.7.233.233] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 16) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404015; rev:1142;)
# -- Inbound Exploit, Inbound: 9 of 20807, from 04/15 to 07/21
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003082; rev:3;)
# -- Egg Download, Outbound: 8 of 20807, from 05/20 to 07/23
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install"; flow:established,to_server; uricontent:"/pub/ICQ_Win95_98_NT4/"; nocase; classtype: policy-violation; sid:2002986; rev:2;)
# -- Outbound, Outbound: 8 of 20807, from 06/28 to 08/08
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Target Saver Spyware User Agent"; flow: established,to_server; content:"|0d 0a|User-Agent\: TSA/"; classtype: trojan-activity; sid: 2001871; rev:17;)
# -- C&C Channel, Inbound: 7 of 20807, from 04/17 to 08/12
alert ip $HOME_NET any -> [58.65.233.0/24,58.65.239.66/31,65.99.192.0/20,65.254.48.0/20,66.232.96.0/19,66.252.0.0/19,69.50.160.0/19,81.94.16.0/20,81.95.128.0/19,85.249.23.0/24,85.255.112.0/24,85.255.116.0/24,85.255.121.0/24,88.201.208.0/20,194.146.204.0/22,194.226.64.0/20,194.226.96.0/24,195.114.16.0/23,195.64.140.0/23,195.64.162.0/23,208.72.160.0/20] any (msg:"E8[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold:type limit, track by_src, seconds 120, count 1; sid:2406000; rev:7;)
# -- Outbound Scan, Outbound: 7 of 20807, from 04/18 to 07/16
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"E5[rb] ET VIRUS OUTBOUND Suspicious Email Attachment"; flow: to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype: suspicious-filename-detect; sid: 2000562; rev:10;)
# -- Outbound Scan, Outbound: 6 of 20807, from 04/30 to 07/29
alert ip $HOME_NET $SHELLCODE_PORTS -> $EXTERNAL_NET any (msg:"E5[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:51390; rev:5;)
# -- Outbound Scan, Outbound: 6 of 20807, from 04/30 to 07/29
alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:599998; rev:1;)
# -- Outbound, Outbound: 6 of 20807, from 06/28 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"|0d 0a|User-Agent\: SRInstaller|0d 0a|"; classtype:trojan-activity; sid:2008145; rev:1;)
# -- C&C Channel, Inbound: 4 of 20807, from 04/05 to 08/07
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET TROJAN BOT - potential scan/exploit command"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; classtype: trojan-activity; sid: 2002030; rev:10;)
# -- Inbound, Inbound: 4 of 20807, from 05/09 to 05/13
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Inbound Connect Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01|"; offset:0; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; sid:2003282; rev:3;)
# -- C&C Channel, Outbound: 4 of 20807, from 07/06 to 08/03
alert ip $HOME_NET any -> [193.86.233.135,194.1.163.1,194.109.129.220,194.109.129.222,194.109.20.90,194.109.206.107,194.109.64.131,194.110.67.193,194.12.253.152,194.124.229.58,194.124.229.59,194.126.174.202,194.126.32.111,194.145.152.20,194.146.224.152,194.149.73.154,194.149.73.161,194.149.73.55,194.149.73.80,194.159.164.195,194.159.164.211,194.169.192.101,194.169.192.238,194.169.192.55,194.19.26.178,194.204.19.34,194.218.216.14,194.24.174.60,194.24.188.141,194.54.90.10,194.68.45.50,194.72.80.153,195.111.64.195,195.12.59.195,195.12.59.196,195.137.213.67,195.14.47.164,195.144.12.5,195.149.115.135,195.149.21.43,195.149.74.40,195.149.74.67,195.169.138.124,195.170.173.50,195.2.117.33,195.20.207.107,195.22.23.171,195.222.5.209,195.225.204.134,195.23.135.14,195.28.165.201,195.28.165.211,195.28.165.48,195.47.220.2,195.50.191.12,195.50.191.14,195.54.159.109,195.58.33.236,195.68.206.250,195.78.50.54] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 2) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404001; rev:1142;)
# -- Inbound Exploit, Inbound: 4 of 20807, from 04/30 to 08/10
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E2[rb] ET VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; sid:2003614; rev:3;)
# -- C&C Channel, Inbound: 4 of 20807, from 06/07 to 08/07
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,is_proto_irc; content:"scan"; pcre:"/[^a-zA-Z0-9\x3A\s]scan/"; classtype: trojan-activity; sid:100000274; rev:2;)
# -- Outbound, Outbound: 4 of 20807, from 07/01 to 08/08
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E3[rb] ET MALWARE iDownloadAgent Spyware User Agent"; flow:to_server,established; content:"User-Agent\:"; nocase; content:"iDownloadAgent"; within:150; pcre:"/User-Agent\:[^\n]+iDownloadAgent/"; classtype:trojan-activity; sid:2002739; rev:5;)
# -- C&C Channel, Inbound: 3 of 20807, from 05/08 to 05/09
alert ip $HOME_NET any -> [69.50.176.227,69.50.176.228,69.50.176.229,69.50.188.3,69.50.188.4,69.64.155.110,69.64.155.132,72.10.164.69,72.20.0.0/19,72.20.110.8] any (msg:"E8[rb] ET RBN Known Russian Business Network Monitored Domains (20)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406024; rev:43;)
# -- C&C Channel, Outbound: 3 of 20807, from 07/13 to 08/03
alert ip $HOME_NET any -> [12.120.5.241,121.119.172.49,121.186.24.175,124.217.246.67,124.217.248.112,124.244.17.148,124.246.24.204,125.113.170.72,125.240.182.140,128.121.20.113,128.241.236.105,128.39.2.28,130.239.18.172,130.240.22.201,130.83.160.207,131.247.1.101,140.138.148.205,140.186.181.106,140.211.166.3,141.213.238.252,142.179.155.242,142.179.159.58,145.89.150.59,146.155.201.41,146.83.111.35,147.127.160.120,149.9.1.16,150.254.6.206,151.189.0.165,154.35.200.44,155.230.18.48,158.38.8.251,161.53.178.240,168.187.115.136,189.154.2.248,190.138.100.239,190.188.39.224,190.4.20.155,190.54.27.163,190.76.81.207,193.109.122.67,193.109.122.77,193.110.121.212,193.138.229.11,193.138.229.18,193.163.220.3,193.200.193.4,193.202.83.129,193.23.141.114,193.23.141.242,193.23.143.103,193.27.200.189,193.27.229.245,193.28.153.27,193.34.71.27,193.34.88.17,193.37.152.230,193.47.75.6,193.68.150.140,193.71.199.6] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404000; rev:1142;)
# -- C&C Channel, Outbound: 3 of 20807, from 05/02 to 07/28
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"30303"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007773; rev:4;)
# -- C&C Channel, Inbound: 3 of 20807, from 04/05 to 07/13
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; sid: 2002033; rev:12;)
# -- C&C Channel, Inbound: 3 of 20807, from 05/16 to 06/14
alert ip $HOME_NET any -> [65.254.54.178,65.99.192.0/20,66.152.85.101,66.152.85.110,66.152.85.116,66.152.85.123,66.232.96.0/19,66.244.254.0/24,66.252.0.0/19,66.252.1.255] any (msg:"E8[rb] ET RBN Known Russian Business Network Monitored Domains (15)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406019; rev:43;)
# -- C&C Channel, Inbound: 3 of 20807, from 04/17 to 08/12
alert ip $HOME_NET any -> [207.226.173.114,207.226.173.67,207.44.185.10,207.44.185.100,208.109.78.58,208.48.15.11,208.48.15.13,208.48.15.62,208.72.160.0/20,208.72.168.0/21] any (msg:"E8[rb] ET rbN Known Russian Business Network Monitored Domains (5)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406009; rev:43;)
# -- C&C Channel, Inbound: 3 of 20807, from 05/05 to 05/07
alert ip $HOME_NET any -> [83.222.0.0/19,84.45.24.53,84.45.47.130,84.45.90.141,85.12.60.11,85.12.60.22,85.133.4.138,85.17.173.219,85.249.23.0/24,85.255.112.0/20] any (msg:"E8[rb] ET rbN Known Russian Business Network Monitored Domains (29)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406033; rev:43;)
# -- C&C Channel, Outbound: 2 of 20807, from 07/29 to 07/29
alert ip $HOME_NET any -> [208.98.14.10,208.98.14.11,208.98.14.12,208.98.14.13,208.98.14.14,208.98.19.100,208.98.19.12,208.98.19.2,208.98.19.7,208.98.21.200,208.98.22.117,208.98.3.16,208.98.30.69,208.98.32.130,208.98.34.10,208.98.34.138,208.98.42.78,208.98.42.81,208.98.42.87,208.98.47.50,208.98.54.207,208.98.8.66,208.99.193.130,208.99.193.134,208.99.194.68,209.11.242.36,209.11.244.124,209.11.244.82,209.133.11.161,209.133.11.165,209.133.11.185,209.133.11.197,209.133.11.212,209.133.8.83,209.133.9.109,209.133.9.43,209.133.9.50,209.133.9.61,209.177.146.34,209.200.7.211,209.249.249.126,209.250.225.144,209.250.225.55,209.250.225.62,209.250.239.6,209.40.203.122,209.40.205.85,209.61.182.250,209.67.60.191,209.8.255.52,209.9.226.187,209.9.227.164,210.135.96.98,210.150.125.131,210.217.196.132,210.218.224.45,210.226.64.74,210.240.41.199,211.139.120.72,211.144.134.151] any (msg:"E8[rb] ET DROP Known Bot C&C Server Traffic (group 5) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 120, count 1; classtype:trojan-activity; sid:2404004; rev:1142;)
# -- Inbound Exploit, Inbound: 2 of 20807, from 06/27 to 07/26
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E2[rb] BLEEDING-EDGE VIRUS W32/Sasser.worm.a -NAI-)"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid:22001057; rev:5; )
# -- Outbound, Outbound: 2 of 20807, from 08/11 to 08/11
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs Checkin"; flow:established,to_server; uricontent:"/cntr.php?b="; nocase; uricontent:"&c="; nocase; uricontent:"&d="; nocase; classtype:trojan-activity; sid:2002959; rev:3;)
# -- Outbound Scan, Outbound: 2 of 20807, from 04/18 to 05/03
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"E5[rb] ET VIRUS W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; sid:2002895; rev:3;)
# -- Inbound Exploit, Inbound: 2 of 20807, from 06/27 to 07/26
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E2[rb] ET WORM W32/Sasser.worm.a"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid: 2001057; rev:6;)
# -- C&C Channel, Inbound: 1 of 20807, from 08/11 to 08/11
alert ip $HOME_NET any -> [69.39.224.27,69.42.216.122,69.46.224.0/20,69.50.160.0/19,69.50.166.196,69.50.168.102,69.50.168.98,69.50.168.99,69.50.170.174,69.50.170.82] any (msg:"E8[rb] ET rbN Known Russian Business Network Monitored Domains (19)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406023; rev:43;)
# -- Outbound, Outbound: 1 of 20807, from 08/12 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?2="; uricontent:"&n="; uricontent:"&v="; uricontent:"&i="; uricontent:"&sp="; uricontent:"&lcp="; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007688; rev:4;)
# -- C&C Channel, Inbound: 1 of 20807, from 05/01 to 05/01
alert ip $HOME_NET any -> [72.20.14.3,72.20.25.134,72.232.197.83,74.54.31.196,77.91.224.0/21,77.91.225.14,77.91.225.18,77.91.225.2,77.91.225.20,77.91.225.3] any (msg:"E8[rb] ET rbN Known Russian Business Network Monitored Domains (21)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 120, count 1; classtype:misc-attack; sid:2406025; rev:43;)
# -- Inbound, Inbound: 1 of 20807, from 08/12 to 08/12
alert tcp any any -> any 4099 (msg:"ET TROJAN Srizbi requesting template"; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"|0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url,www.secureworks.com/research/threats/ronpaul/; classtype:trojan-activity; sid:2007712; rev:3;)
# -- Outbound, Outbound: 1 of 20807, from 08/02 to 08/02
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET POLICY Skype Bootstrap Node (udp)"; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:2003022; rev:3;)
# -- C&C Channel, Inbound: 1 of 20807, from 07/29 to 07/29
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] COMMUNITY BOT GTBot info command"; flow: established; flowbits:isset,is_proto_irc; content:"info"; pcre:"/[^a-zA-Z0-9\x3A\s]info/"; classtype: trojan-activity; sid:100000273; rev:2;)
# -- C&C Channel, Outbound: 1 of 20807, from 06/11 to 06/11
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET VIRUS Sality Virus User Agent Detected (KUKU v3.09)"; flow:established,to_server; content:"User-Agent\: KUKU"; nocase; classtype:trojan-activity; sid:2003636; rev:3;)
# -- Inbound Exploit, Inbound: 1 of 20807, from 06/20 to 06/20
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2538; rev:15;)
# -- C&C Channel, Outbound: 1 of 20807, from 06/11 to 06/11
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET VIRUS Sality Trojan User-Agent (KUKU v3.09 exp)"; flow:to_server,established; content:"User-Agent\: KUKU "; nocase; pcre:"/User-Agent\:[^\n]+KUKU\sv/i"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32salityu.html; sid:2003088; rev:3;)
# -- Inbound, Inbound: 1 of 20807, from 08/04 to 08/04
alert ip [222.32.49.0/24,150.140.168.0/24,84.48.187.0/24,62.193.245.0/24,202.97.238.0/24,59.46.74.0/24,24.80.112.0/24,193.226.177.0/24,196.35.44.0/24,221.208.208.0/24,91.121.123.0/24,139.55.103.0/24,91.190.17.0/24,139.55.73.0/24,202.104.187.0/24,222.189.237.0/24,221.209.110.0/24,58.221.246.0/24,125.65.112.0/24,88.35.36.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2402000; rev:1121;)
# -- Inbound, Inbound: 1 of 20807, from 05/12 to 05/12
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: attempted-recon; reference:url,en.wikipedia.org/wiki/Brute_force_attack; sid: 2001219; rev:15;)
# -- Inbound, Inbound: 1 of 20807, from 06/08 to 06/08
alert tcp any any -> any any (msg:"ET TROJAN BOT - potential update/download"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+(http|ftp)\x3a\x2f\x2f/i"; classtype: trojan-activity; sid: 2002031; rev:13;)
# -- Outbound, Outbound: 1 of 20807, from 07/16 to 07/16
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET WORM Possible Evaman Worm Outbound"; flow: to_server,established; content:"filename="; pcre:"m/(body|message|email|returned|text|document)\.(scr|txt\.scr|html\.scr|outlook\.scr|txt\.exe)/"; reference:url,secunia.com/virus_information/10429/evaman; classtype: trojan-activity; sid: 2000343; rev:10;)
# -- Inbound, Inbound: 1 of 20807, from 08/12 to 08/12
alert udp any 1024: -> any 4099 (msg:"ET TROJAN Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/ronpaul/; sid:2007711; rev:2;)
# -- Inbound Exploit, Inbound: 1 of 20807, from 06/08 to 06/08
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E2[rb] ET TROJAN Agobot-SDBot Commands"; flowbits:isset,is_proto_irc; flow:established; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; classtype: trojan-activity; sid:2003157; rev:3;)
# -- Inbound, Inbound: 1 of 20807, from 06/08 to 06/08
alert tcp any any -> any any (msg:"ET TROJAN BOT - channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; classtype: trojan-activity; sid:2002385; rev:9;)
# -- Outbound, Outbound: 1 of 20807, from 07/08 to 07/08
alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET TROJAN Ransky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; classtype:trojan-activity; sid:2002728; rev:2;)
# -- Inbound, Inbound: 1 of 20807, from 08/12 to 08/12
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET TROJAN Prg Trojan Server Reply"; flow:to_client,established; content:"HTTP"; depth:4; content:"|0d0a|Hall|3a|"; within:512; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2003183; rev:2;)
# -- Outbound, Outbound: 1 of 20807, from 08/04 to 08/04
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET TROJAN Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; uricontent:"?sid="; pcre:"/\?sid=[0-9A-F]{180}/U"; classtype:trojan-activity; sid:2007142; rev:2;)
# -- Outbound, Outbound: 1 of 20807, from 08/12 to 08/12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:5;)