alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (agent)"; flow: to server,established; content:" 0d 0a User Agent\: agent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Possible Storm Worm EXE Request (fireworks.exe)"; flow:established,to server; content ...
SandnetAnalystsGroup Member list (comma separated list): Set GROUP MattJonkman, DeapeshMisra, BlakeHartstein, JamesMcQuaid, AndreDiMino, DavidBianco, TeresaGarner ...
alert tcp any 20 $HOME NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:" 0d 0a ...
alert tcp any 20 $HOME NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send an image"; flow: established; content:"Content ...
alert tcp any $HTTP PORTS $HOME NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send image, Win32"; flow: established; content:"Content ...
alert tcp $HOME NET any $EXTERNAL NET 82 (msg:"ET TROJAN LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to server; content:"POST "; depth:5; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET TROJAN Win32 Cloaker Related Post Infection Checkin"; flow:established,to server; uricontent:"/log/proc ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (Playtech Downloader)"; flow:to server,established; content:" 0d 0a User ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (ISMYIE)"; flow:to server,established; content:" 0d 0a User Agent\: ISMYIE ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET CURRENT EVENTS Possible Storm Worm URL Request (mylove.exe)"; flow:established,to server; content:"GET ...
Emerging Bro Signatures Bro is an Open Source IDS similar to Snort, but with a different philosophy. Bro is not primarily intended to do byte wise signature matching ...
alert tcp $EXTERNAL NET any $HOME NET $HTTP PORTS (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to server; content:" 0d 0a User Agent\: bsqlbf ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to server,established; content:"CONNECT "; nocase; content ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to server,established; content:"CONNECT "; nocase; content ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:"ET TROJAN Vipdataend C C Traffic Checkin"; flow:established,to server; dsize: Added 2008 06 24 23:26:43 UTC ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (Accessing)"; flow:to server,established; content:" 0d 0a User Agent\: ...
alert tcp $EXTERNAL NET 6112 $HOME NET any (msg:"ET GAMES Battle.net connection reset (possible IP Ban)"; flags:R,12; classtype: policy violation; sid:2002117; ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:"ET TROJAN Win32.Small.wpx or Related Downloader Posting Data"; flow:to server,established; content:"POST "; depth ...
alert tcp $HOME NET any $EXTERNAL NET 82 (msg:"ET TROJAN LDPinch Checkin on Port 82"; flow:established,to server; uricontent:".php"; nocase; content:"a "; content ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Suspicious User Agent (angel)"; flow:to server,established; content:" 0d 0a User Agent\: angel ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to server; uricontent:".aspx?"; uricontent ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to server ...
Spamhaus.org DROP List This ruleset takes a daily list of known spammers and spam networks as researched by Spamhaus and converts them into Snort signatures, Bro Signatures ...
Dshield Top Attackers This ruleset takes a daily list of the top attackers reported to Dshield and converts them into Snort signatures, Bro Signatures, and Firewall ...
Shadowserver.org Known Command and Control Rules This ruleset takes a daily list of the known CnC Servers as researched by Shadowserver.org and converts them into ...
Using the Emerging Threats Firewall Rules The firewall rulesets are versions of the IP Block lists in a format easily imported into IPF, IPTables, PF, and PIX firewalls ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET VIRUS CoreFlooder.Q Data Posting"; flow:established,to server; content:"POST"; depth:4; uricontent:" ...
alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:"ET Google Search Appliance browsing the Internet"; flow:to server,established; content:"GET "; depth:4; ...