alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (agent)"; flow: to server,established; content:" 0d 0a User Agent\: agent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Possible Storm Worm EXE Request (fireworks.exe)"; flow:established,to server; content ...
SandnetAnalystsGroup Member list (comma separated list): Set GROUP MattJonkman, DeapeshMisra, BlakeHartstein, JamesMcQuaid, AndreDiMino, DavidBianco, TeresaGarner ...
alert tcp any 20 $HOME NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:" 0d 0a ...
alert tcp any 20 $HOME NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content ...
alert tcp any $HTTP PORTS $HOME NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content ...
alert tcp $HOME NET any $EXTERNAL NET 82 (msg:"ET TROJAN LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to server; content:"POST "; depth:5; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32 Cloaker Related Post Infection Checkin"; flow:established,to server; uricontent:"/log/proc ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (Playtech Downloader)"; flow:to server,established; content:" 0d 0a User ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (ISMYIE)"; flow:to server,established; content:" 0d 0a User Agent\: ISMYIE ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Possible Storm Worm URL Request (mylove.exe)"; flow:established,to server; content:"GET ...
Emerging Bro Signatures Bro is an Open Source IDS similar to Snort, but with a different philosophy. Bro is not primarily intended to do byte wise signature matching ...
alert tcp $EXTERNAL NET any $HOME NET $HTTP PORTS (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to server; content:" 0d 0a User Agent\: bsqlbf ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to server,established; content:"CONNECT "; nocase; content ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to server,established; content:"CONNECT "; nocase; content ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Vipdataend C C Traffic Checkin"; flow:established,to server; dsize: Added 2008 06 24 23:26:43 UTC ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (Accessing)"; flow:to server,established; content:" 0d 0a User Agent\: ...
alert tcp $EXTERNAL NET 6112 $HOME NET any (msg:"ET GAMES Battle.net connection reset (possible IP Ban)"; flags:R,12; classtype: policy violation; sid:2002117; ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:"ET TROJAN Win32.Small.wpx or Related Downloader Posting Data"; flow:to server,established; content:"POST "; depth ...
alert tcp $HOME NET any $EXTERNAL NET 82 (msg:"ET TROJAN LDPinch Checkin on Port 82"; flow:established,to server; uricontent:".php"; nocase; content:"a "; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (angel)"; flow:to server,established; content:" 0d 0a User Agent\: angel ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to server; uricontent:".aspx?"; uricontent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to server ...
Spamhaus.org DROP List This ruleset takes a daily list of known spammers and spam networks as researched by Spamhaus and converts them into Snort signatures, Bro Signatures ...
Dshield Top Attackers This ruleset takes a daily list of the top attackers reported to Dshield and converts them into Snort signatures, Bro Signatures, and Firewall ...
Shadowserver.org Known Command and Control Rules This ruleset takes a daily list of the known CnC Servers as researched by Shadowserver.org and converts them into ...
Using the Emerging Threats Firewall Rules The firewall rulesets are versions of the IP Block lists in a format easily imported into IPF, IPTables, PF, and PIX firewalls ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET VIRUS CoreFlooder.Q Data Posting"; flow:established,to server; content:"POST"; depth:4; uricontent:" ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET Google Search Appliance browsing the Internet"; flow:to server,established; content:"GET "; depth:4; ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN User agent DownloadNetFile Win32.small.hsh downloader"; flow:established,to server; content:"GET ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET BOTNET IP Discovery via whatismyip.com"; flow:to server,established; content:"GET "; depth:4; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET VIRUS CoreFlooder.Q C C Checkin"; flow:established,to server; content:"POST"; depth:4; uricontent:"/a ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY ICP Email Send via HTTP Often Trojan Install Reports"; flow:established,to server; uricontent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY Autoit Windows Automation tool User Agent in HTTP Request Possibly Hostile"; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Dialer.Trojan Activity"; flow: to server,established; uricontent:"/dialer min/getnum.asp?nip" ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (123)"; flow:to server,established; content:" 0d 0a User Agent\: 123 0d ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (DownloadNetFile)"; flow:to server,established; content:" 0d 0a User Agent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Lost Door Checkin"; flow:established,to server; content:"GET"; depth:4; uricontent:"subject Lost ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Keypack.co.kr Related Trojan User Agent Detected"; flow:established,to server; content:" 0d 0a ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32.Small.dvs or Related DDOS Checkin"; flow:established,to server; content:"GET ?ddos x"; depth ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET POLICY Eurobarre.us Setup User Agent"; flow:established,to server; content:" 0d 0a User Agent\: eurobarre ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:"ET TROJAN Steam Pass Stealer FTP Upload"; flow:established,to server; dsize:33; content:"STEAM nicht eingespeichert ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Banker/Banbra Variant POST via x www form urlencoded"; flow:established,to server; content:"POST ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Hupigon CnC Data Post (variant abb)"; flow:established,to server; dsize: 200; flowbits:isset,ET.hupa ...
alert tcp $HOME NET any $EXTERNAL NET 1024:65535 (msg:"ET TROJAN Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to server; content:" CF 8F 80 9B ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C C Reporting Version"; flow:established,to server; content:"Version 28 2a "; ...
alert tcp $EXTERNAL NET 443 $HOME NET any (msg:"ET TROJAN Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from server; flowbits:isset,ET.onlinegames ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Vipdataend/Ceckno C C Traffic Checkin"; flow:established,to server; dsize: Added 2008 06 24 23:26 ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Dorf/Win32.Inject.adt C C Communication Outbound"; flow:established,to server; dsize:16; content:"1SCD ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to server; dsize: Added 2008 06 24 23:26:43 UTC ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Turkojan C C Keepalive (BAGLANTI)"; flow:established,to server; dsize:9; content:"BAGLANTI?"; classtype ...