EmergingThreats> Main Web>RuleChanges (revision 4)EditAttach

Last 50 Rule Changes

Results from Main web retrieved at 22:02 (GMT)

alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`vtoras ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (PHPs Labyrinth Stage1 CnC)`; flow:established,to client; tls cert subject ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`piasuna ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`medsource ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`devata ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`tretas ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`piastas ...
alert dns $HOME NET any any any (msg:`ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query`; dns query; content:`accounts.protonvpn.store`; nocase; depth:24; isdataat ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`pervas ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`dolodos ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`tdreg ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`vosmas ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`semasa ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`tdreg ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS PHPNuke general SQL injection attempt`; flow: to server,established; content:`/modules ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart CnC)`; flow:from server,established; tls cert subject; content: ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE 180solutions Spyware Keywords Download`; flow: to server,established; content:`GET`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET POLICY Observed DNS Query for Suspicious TLD (.management)`; dns query; content:`.management`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE SurfSidekick Download`; flow: established,to server; content:`/requestimpression.aspx?ver `; nocase ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Related CnC`; flow:established,to server; content:`GET`; http method; content:`.php?WORD com ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Webhancer Data Post`; flow: to server,established; content:`POST`; nocase; http method; content:`http ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN VBScript Redirect Style Exe File Download`; flow:to client,established; flowbits:isset,ET.Locky; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mermaid Ransomware Variant CnC Activity M4`; flow:established,to server; content:`GET`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Charming Kitten Backdoor CnC Activity`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M2`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PHPs Labyrinth Backdoor Stage2 CnC Activity M1`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PHPs Labyrinth Backdoor Stage1 CnC Activity`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspected Gamaredon Downloader Activity`; flow:established,to server; content:`GET`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Spark Backdoor CnC Domain Query`; dns query; content:`nysura.com`; nocase; depth:10; isdataat:1,relative; metadata ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M2`; flow:established,from server; content:`200`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Powershell Download Command Observed within Flash File Probable EK Activity`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BadPatch CnC Activity`; flow:established,to server; content:`python requests/`; http user agent; depth ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)`; flow:from server,established; tls cert subject; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:established,from server; content:`traderserviceinfo ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN GanDownloader CnC Checkin`; flow:established,to server; content:` 2f 00 00 00 `; depth:4; http client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Charming Kitten Backdoor Checkin`; flow:established,to server; content:`POST`; http method; ...
alert http $EXTERNAL NET any $HOME NET 9080 (msg:`ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE 2018 17173)`; flow:established,to server; content:`GET`; ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Possible Glitch.me Phishing Domain`; dns query; content:`.glitch.me`; nocase; isdataat:1,relative; pcre ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)`; flow:from server,established; tls cert subject; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M3`; flow:established,from server; content:`200`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR Possible Response for LNKR js file`; flow:established,from server; content:`200`; http stat code ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M1`; flow:established,from server; content:`200`; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Locky JS Downloading Payload`; flow:to server,established; urilen: Added 2020 02 19 18:51:50 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR landing page (possible compromised site) M5`; flow:established,from server; content:`200`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET GAMES Wolfteam HileYapak Server Response`; flow:established,from server; content:`200`; http stat code; file ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Xwo CnC Activity`; flow:established,to server; content:`POST`; http method; content:`Accept Charset 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Onliner Mailer Module Communicating with CnC`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Nexus Stealer CnC Data Exfil`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex AlphaNum DL Feb 10 2016`; flow:established,to server; urilen:1550; content:`MSIE 7.0 3b 20 Windows ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M18`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M19`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M21`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M16`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M17`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M19`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Certificate detected (Cobalt Strike CnC)`; flow:established,to client; tls cert subject ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M18`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M17`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M20`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M21`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M20`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Vulnerable Java Version 11.0.x Detected`; flow:established,to server; content:`Java/11.0.`; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Jaff Ransomware Checkin`; flow:to server,established; content:`GET`; http method; content:`Host 3a 20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Flowbit set for POST to Quicken Updater`; flow:established,to server; content:`POST`; http method; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare dns .com in TLS SNI)`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Orderlink (IN) Phish Feb 24 2017`; flow:to server,established; urilen:7; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MWI Maldoc Posting Host Data`; flow:established,to server; content:`POST`; http method; content:`?id ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed GET Request to Jaff Domain (orhangazitur . com)`; flow:to server,established; content:`GET` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M16`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE 2020 0618)`; flow:established,to server; urilen:37; content ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Netwire RAT Check in (set)`; flow:established,to server; dsize: 65; content:` 41 00 00 00 99 `; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible ReactorBot .bin Download`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MWI Maldoc Load Payload`; flow:established,to server; content:`?id `; http uri; content:` act `; http ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible NK APT SLICKSHOES Host Checkin`; flow:established,to server; content:` 41 00 70 00 6f 00 6c 00 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outdated Flash Version M2`; flow:established,to server; content:`X Requested With 3a 20 ShockwaveFlash ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CozyCar V2 CnC Beacon`; flow:established,to server; content:` 12 `; http header; content:` 2`; distance ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ransomware Locky CnC Beacon 21 May`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Vulnerable Java Version 13.0.x Detected`; flow:established,to server; content:`Java/13.0.`; http user ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Sarwent Initial Checkin CnC Response`; flow:established,from server; flowbits:isset,ET.sarwent ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai User Agent Observed (Outbound)`; flow:established,to server; content:`User Agent 3a 20 Ankit ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Sarwent Variant CnC Activity`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN ELF/Mirai User Agent Observed (Inbound)`; flow:established,to server; content:`User Agent 3a 20 Ankit 0d 0a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Vidar/Arkei/Megumin/Oski Stealer Data Exfil`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Sarwent Initial Checkin`; flow:established,to server; flowbits:set,ET.sarwent.1; content:`GET` ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET POLICY DRIVEBY Generic EXE Download by Java`; flow:from server,established; flowbits:isnotset,ET.http.javaclient ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M14`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (AgentTesla CnC)`; flow:established,to client; tls cert subject; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M12`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M15`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M13`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M14`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M10`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M13`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M11`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/YTDDownloader.F Activity`; flow:established,to server; content:`NSISDL/1.2 (Mozilla)`; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M12`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M15`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Certificate detected (Patchwork CnC)`; flow:established,to client; tls cert subject; content ...
#alert tcp $EXTERNAL NET any $HOME NET 1024: (msg:`ET DELETED Yoyo DDoS Bot Command from CnC Server`; flow:established,from server; dsize:124; content:` C1 00 00 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN X2000M.Agent Checkin Jan 24 2017`; flow:established,to server; content:`v7v7v7v7v7v7v7v7v7v7v7v7`; http ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020 02 09`; flow:established,to client; tls cert subject ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Parallax CnC Response Activity M7`; flow:established,to client; content:` 5e 52 4a 3b `; depth:4; fast ...
alert dns $HOME NET any any any (msg:`ET TROJAN Parallax RAT CnC Domain Observed in DNS Query`; dns query; content:`vahlallha.duckdns.org`; nocase; depth:21; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M11`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Facebook Phishing Domain in DNS Lookup`; dns query; content:`www.oitunmy.com`; nocase; depth:15; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Related CnC`; flow:established,to server; content:`GET`; http method; content:`indox.php?v ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Kimsuky Related Exfil`; flow:established,to server; urilen:25; content:`POST`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Kimsuky Related Download`; flow:established,to server; urilen:21; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M10`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:established,to client; tls cert subject; content: ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (jssLoader CnC)`; flow:established,to client; tls cert subject; content:`CN ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Parallax CnC Activity M7 (set)`; flow:established,to server; content:` 5e 52 4a 3b `; depth:4; fast pattern ...
alert dns $HOME NET any any any (msg:`ET TROJAN POWERTON CnC Domain in DNS Lookup`; dns query; content:`dailystudy.org`; nocase; depth:14; isdataat:1,relative; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Response (Screenshot)`; flow:established,to client; file data; content:`62c92ba585f74ecdbef4c4498a438984 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M9`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)`; dns query; content:`creatorz123.top`; nocase; depth:15; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Response (Download)`; flow:established,to client; file data; content:`51a7a76a7dd5d9e4651fe3d4c74d16d6 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M7`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M6`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M5`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Activity (Upload)`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN DNS Query to MINEBRIDGE CnC Domain (fatoftheland .top)`; dns query; content:`fatoftheland.top`; nocase; depth:16 ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (FIN7/GRIFFON CnC)`; flow:established,to client; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M7`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M6`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M8`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Response (Command)`; flow:established,to client; file data; content:`dfff0a7fa1a55c8c1a4966c19f6da452 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M5`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M8`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN DNS Query to MINEBRIDGE CnC Domain (compilator333 .top)`; dns query; content:`compilator333.top`; nocase; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M4`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M4`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M9`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MoleRAT/Pierogi Backdoor Activity`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Websocket Credential Phish Sep 15 2017`; flow:to server,established; content ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 Hello, World`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish 2020 01 29 (set)`; flow:established,to server; flowbits:set,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 Hello, World ...
alert dns $HOME NET any any any (msg:`ET TROJAN DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)`; dns query; content:`conversia91.top`; nocase; depth:15; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin`; flow:to server,established; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN DNS Query to MINEBRIDGE CnC Domain (123faster .top)`; dns query; content:`123faster.top`; nocase; depth:13; isdataat ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirector Leading to EK Jun 15 2016`; flow:established,from server; content:`Set Cookie ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirect Leading to EK Jul 28 2016`; flow:established,to client; http start; content:`Set ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious EXE requested with Java UA`; flow:established,to server; content:`GET`; http method; content ...
alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET POLICY ABBCCoin Checkin`; flow:to server,established; content:` version`; within:14; content:`ABBCCoin`; within ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO TGI Possible Cobalt Strike Extra Whitespace HTTP Response`; flow:established,to client; content:!`WEBrick ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO TGI Entrust Entelligence Security Provider (Flowbits Set)`; flow:established,to server; content:`Entrust ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS ABBCCoin Activity Observed`; flow:established,to server; content:`User Agent 3a 20 ABBCCoin`; fast ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN VaultCrypt Uploading Files`; flow:to server,established; content:`POST`; http method; urilen:6; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CenterPOS CnC`; flow:established,to server; content:`POST`; http method; content:`.php`; http uri; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Potao CnC`; flow:to server,established; content:`POST`; http method; content:``; depth:21; http client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Infostealer.Bancos ProxyChanger Checkin`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Elise CnC Beacon 1 M2`; flow:to server,established; content:`GET`; http method; content:`/` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan Generic POST To gate.php with no accept headers`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CenterPOS CnC 2`; flow:established,to server; content:`POST`; content:`.php`; http uri; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ArcDoor Intial Checkin`; flow:established,to server; urilen:1; content:`POST`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sage Ransomware Checkin Primer`; flow:established,to server; urilen:1; pcre:`/^.{0,15} \x00 \x09\x80 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible APT40/Dadstache Stage 2 Payload Beacon`; flow:to server,established; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`thestar.serveblog.net`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`capitana.onthewifi.com`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Mozart Loader Command Request (reporttask)`; flow:to server; content:` 0a reporttask 00 00 10 00 01 `; fast pattern ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`kulkarni.bounceme.net`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`invoke.ml`; nocase; isdataat:1,relative; metadata: former ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN VBS.ayr CnC command (/iam ready)`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`byfleur.myftp.org`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`accountsx.bounceme.net`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Mozart Loader Command Request (gettasks)`; flow:to server; threshold:type both, track by src, count 30, seconds ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015`; flow:established,to server; content:`.exe ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`dynamics.ddnsking.com`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN APT40/Dadstache Related DNS Lookup`; dns query; content:`vvavesltd.servebeer.com`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Mozart Loader Command Request (getupdates)`; flow:to server; threshold:type both, track by src, count 30, seconds ...
alert dns $HOME NET any any any (msg:`ET TROJAN Mozart Loader Command Request (reportupdates)`; flow:to server; content:` 08 reportupdates 00 00 10 00 01 `; fast ...
alert dns $HOME NET any any any (msg:`ET TROJAN Mozart Loader CnC Checkin (getid)`; flow:to server; content:`$`; content:` S `; distance:0; nocase; content:` 05 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linux.Mumblehard Initial Checkin`; flow:to server,established; content:`GET`; http method; urilen:1; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linux.Mumblehard Command Status CnC`; flow:to server,established; content:`GET`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BePush/Kilim CnC Beacon`; flow:established,to server; content:`GET`; http method; content:`.php?type ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Chthonic CnC Beacon 6`; flow:established,to server; content:`POST`; http method; content:!`Accept `; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Scanbox Sending Host Data`; flow:to server,established; content:`GET`; http method; content:`.jpg`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS DNSChanger EK Landing URI Struct May 22 2015`; flow:to server,established; content:`/stat/load ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Chthonic CnC Beacon 5`; flow:established,to server; content:`POST`; http method; content:!`Accept `; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN VBS.ayr CnC command (is enum folder)`; flow:established,to server; content:`POST`; http method; content ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET TROJAN Wordpress Errorcontent CnC Beacon`; flow:to server,established; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Banker Boleto Fraud JS BROBAN.SM Checkin 2`; flow:to server,established; content:`/rico.php`; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M2`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M1`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.2 Client Checkin M3`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon`; flow:established,to server; content:`POST`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dyre Downloading Mailer 2`; flow:established,to server; content:`GET`; http method; content:`.tar`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DADJOKE/Rail Tycoon Initial Macro Execution`; flow:to server,established; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M2`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M1`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AZORult V3.3 Client Checkin M3`; flow:established,to server; content:`POST`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS CrimeBoss Setup`; flow:established,to server; content:`.php?setup d s `; http uri; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Gamut Spambot Checkin 2`; flow:established,to server; urilen:6; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Liftoh.Downloader Final.html Payload Request`; flow:established,to server; content:`GET`; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BlackRev Botnet Login Request CnC Beacon`; flow:established,to server; content:`POST`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Win32.Popwin Checkin`; flow:to server,established; content:`/soft/xiaomi`; fast pattern; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android.Adware.Wapsx.A`; flow:established, to server; content:`/fengmian/`; fast pattern; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Unknown Trojan with Fake Java User Agent`; flow:established,to server; content:`Java/`; http user agent ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS g01pack Exploit Kit .homelinux. Landing Page`; flow:established,to server; urilen: 2; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS g01pack Exploit Kit .homeip. Landing Page`; flow:established,to server; urilen: 2; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BTQP Checkin 2`; flow:established,to server; content:`GET`; http method; content:`.asp?IDPC `; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE W32/BettrExperience.Adware Update Checkin`; flow:established,to server; content:`/Check.ashx?`; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN EUPUDS.A Requests for Boleto replacement `; flow:established,to server; urilen:10; pcre:`/^ a f0 9 {8 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Dyreza RAT Fake Server Header`; flow:established,to client; content:`Server 3a 20 Stalin`; http header ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE W32/BettrExperience.Adware POST Checkin`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FortDisco Reporting Status`; flow:established,to server; content:`POST`; http method; content:`/cmd.php ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS CrimeBoss Recent Jar (3)`; flow:established,to server; content:`/m1`; http uri; nocase; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS CoolEK Payload Download (9)`; flow:established,to server; content:`.txt?f `; fast pattern; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Banker Boleto Fraud JS BROBAN.SM Checkin 1`; flow:to server,established; content:`/rico.php`; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Almanahe.B Checkin`; flow:to server,established; urilen:1; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS g01pack Exploit Kit .blogsite. Landing Page`; flow:established,to server; urilen: 2; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Gamut Spambot Checkin`; flow:established,to server; content:`file SenderClient.conf`; http uri; nocase ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE KorBanker Fake Banking App Install CnC Beacon`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex POST Retrieving Second Stage`; flow:established,to server; content:`Host 3a 20 `; http header ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Request to malicious SutraTDS lonly in cookie`; flow:established,to server; content:` lonly ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Tomcat upload from external source`; flow:to server,established; flowbits:isset,ET.Tomcat.login.attempt ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt`; flow:to server,established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS MODx CMS Thumbnail.php base path Remote File Inclusion`; flow:to server,established; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)`; flow:established,to server; content:`GET`; http ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)`; flow:established,to server; content:`POST`; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Webmin Pre 1.290 Compromise Attempt`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET DOS HOIC with booster outbound`; flow:to server,established; content:`GET`; http method; content:`If Modified ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Andromeda Checkin Dec 29 2014`; flow:established,to server; content:`POST`; nocase; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Stobox Connectivity Check`; flow:established,to server; content:!`Cookie 3a `; content:`/windowsupdate ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Satan Cryptor GeoIP Lookup`; flow:established,to server; content:`GET /json/ HTTP/1.1 0d 0a ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Nuclear EK SWF`; flow:established,from server; flowbits:isset,et.Nuclear.SWF; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET DOS HOIC with booster inbound`; flow:to server,established; content:`GET`; http method; content:`If Modified ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN possible OneLouder header structure`; flow:to server,established; content:`Mozilla/4.0 (compatible 3b ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HB Banker16 Get`; flow:to server,established; content:`GET`; http method; content:`Content Type 3a 20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Emotet Wifi Bruter Module Checkin`; flow:established,to server; urilen:43; content:`POST`; http method ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Nuclear EK SWF`; flow:established,from server; flowbits:isset,et.Nuclear.SWF; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dirt Jumper/Russkill3 Checkin`; flow:established,to server; content:`POST`; nocase; http method; content ...
#alert http $HOME NET any any any (msg:`ET CURRENT EVENTS Win32.RBrute Scan (Outgoing)`; flow:to server,established; urilen:1; content:`/`; http uri; content:`Microsoft ...
#alert http $EXTERNAL NET any any any (msg:`ET CURRENT EVENTS Win32.RBrute Scan (incoming)`; flow:to server,established; urilen:1; content:`/`; http uri; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/CazinoSilver Checkin`; flow:established,to server; content:`.php?key `; http uri; content:`DMFR ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY hide my ip.com POST version check`; flow:to server,established; content:`POST`; nocase; http method ...
#alert http $HOME NET any $EXTERNAL NET 110 (msg:`ET TROJAN Gh0st Apple Checkin`; flow:to server,established; content:`GET`; http method; content:`.gif?pid`; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Patchwork Backdoor Requesting Task`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN MINEBRIDGE/MINEDOOR CnC Checkin`; flow:established,to server; content:`POST`; http method; content:` ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32.Riberow.A (touch)`; flow:to server,established; content:`/touch.php?dir `; http uri; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MNR BitCoin Miner Retrieving Server IP Addresses`; flow:established,to server; content:`/distrib serv ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Koobface fetch C C command detected`; flow:established, to server; content:`.php`; nocase; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MNR BitCoin Miner Retrieving New IP Addresses From Server`; flow:established,to server; content:`/search ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Parallax CnC Response Activity M6`; flow:established,to client; content:` eb 7d df 9f `; depth:4; fast ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET POLICY IP geo location service response`; flow:established,from server; flowbits:isset,ETPRO.IP.geo.loc; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32.Riberow.A (mkdir)`; flow:to server,established; content:`GET`; http method; content:`/mkdir.php ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET SCAN Apache mod proxy Reverse Proxy Exposure 1`; flow:established,to server; http request line; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MNR BitCoin Miner Server Checkin`; flow:established,to server; content:`knock.php?ver `; http uri; fast ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Parallax CnC Activity M6 (set)`; flow:established,to server; content:` eb 7d df 9f `; depth:4; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32.Riberow.A (listdir)`; flow:to server,established; content:`GET`; http method; content:`/listdir ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MNR BitCoin Miner Retrieving New Malware From Server`; flow:established,to server; content:`/search ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android.Zitmo Forwarding SMS Message to CnC Server`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE GreatArcadeHits CnC Activity`; flow:established,to server; content:`GET`; http method; content:`/reports ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Generic Bot Checkin`; flow:established,to server; content:`POST`; nocase; http method; content:`/gateway ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TDS Sutra redirect received`; flow:established,to client; content:`302`; http stat code; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY IncrediMail Install Callback`; flow:established,to server; content:`POST`; http method; content:`s PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Win32.RShot HTTP Checkin`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TDS Sutra cookie set`; flow:established,to client; content:!`302`; http stat code; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CryptoPatronum Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain`; flow:established,to server; urilen: Added ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2`; flow:established,to server; content:`.php?id ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Lici Initial Checkin`; flow:established,to server; content:`.php?email `; http uri; content:` lici ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kelihos/Hlux GET jucheck.exe from CnC`; flow:established,to server; content:`/jucheck.exe`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE NPP CnC Activity`; flow:established,to server; content:`NSISDL/1.2 (Mozilla)`; http user agent; depth ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html`; flowbits:isset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ProxyBox HTTP CnC POST 1 letter.php`; flow:established,to server; urilen:6; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Zeus Bot GET to Bing checking Internet connectivity`; flow:established,to server; content:`www.bing.com ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32 Dynamer.dtc Reporting`; flow:established,to server; content:`GET`; nocase; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TDS Sutra redirect received`; flow:established,to client; content:`302`; http stat code; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET SCAN libwww perl GET to // with specific HTTP header ordering without libwww perl User Agent`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Storm/Waledac 3.0 Checkin 2`; flow:established,to server; content:`GET`; http method; pcre:`/^(?:\d{1 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Generic Win32.Autorun HTTP Post`; flow:established,to server; content:`POST`; nocase; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DonBot Checkin`; flow:established,to server; content:`POST`; nocase; http method; content:`/gateway/index ...
alert dns $HOME NET any any any (msg:`ET MALWARE DonotGroup CnC Observed in DNS Query`; dns query; content:`mangasiso.top`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible Winnti DNS Lookup`; dns query; content:`.livehost.live`; nocase; isdataat:1,relative; metadata: former ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Winnti TLS Certificate Observed`; flow:established,to client; tls cert subject; content:`.dnslookup ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible Winnti DNS Lookup`; dns query; content:`.dnslookup.services`; nocase; isdataat:1,relative; metadata: former ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Amadey Stealer CnC BotKiller Module Checkin`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Powershell Downloader with Start Process Inbound M1`; flow:established,to client; content:`200`; http stat ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Winnti TLS Certificate Observed`; flow:established,to client; tls cert subject; content:`.livehost ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET INFO TLS Handshake Failure`; flow:established,to client; dsize:7; content:` 15 `; depth:1; content:` 00 02 02 ...
#alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain Observed in DNS Query`; dns query; content:`jqueryextplugin.com`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE AdWare.iBryte.C Install `; flow:established,to server; content:`/config/`; http uri; depth:8; content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Mimikatz x86 Mimidrv.sys Download Over HTTP`; flow:established,to client; file data; content: ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Mimikatz x86 Executable Download Over HTTP`; flow:established,to client; flowbits:isset,ET.http ...
alert tcp any any $HOME NET 445 (msg:`ET TROJAN Mimikatz x64 Mimidrv.sys File Transfer Over SMB`; flow:established,to server; flowbits:isset,ET.smb.binary; content ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Mimikatz x64 Executable Download Over HTTP`; flow:established,to client; flowbits:isset,ET.http ...
alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Mimikatz x64 Mimidrv.sys Download Over HTTP`; flow:established,to client; file data; content: ...
alert tcp any any $HOME NET 445 (msg:`ET TROJAN Mimikatz x86 Executable Transfer Over SMB`; flow:established,to server; flowbits:isset,ET.smb.binary; content:` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Possible Embedded NTLM Hash Theft Code`; flow:established,to client; file data; content:`src `; nocase ...
alert dns $HOME NET any any any (msg:`ET TROJAN Hisoka CnC Domain Observed in DNS Query`; dns query; content:`google update.com`; depth:17; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query`; dns query; content:`antivirus update.top`; nocase; isdataat:1 ...
alert tcp any any $HOME NET 445 (msg:`ET TROJAN Mimikatz x64 Executable Transfer Over SMB`; flow:established,to server; flowbits:isset,ET.smb.binary; content:` ...
alert tcp any any $HOME NET 445 (msg:`ET TROJAN Mimikatz x86 Mimidrv.sys File Transfer Over SMB`; flow:established,to server; flowbits:isset,ET.smb.binary; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed PowerShell Loader CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`internationalrule ...
alert dns $HOME NET any any any (msg:`ET TROJAN Diezen/Sakabota CnC Domain Observed in DNS Query`; dns query; content:`6google.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET POLICY DNS Query to a Reverse Proxy Service Observed`; dns query; content:`.portmap.`; nocase; pcre:`/^(?:com io host) ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY GeoIP Lookup (nydus.battle.net)`; flow:established,to server; content:`GET`; http method; content:`/geoip ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Generic RAT over Telegram API`; flow:established,to server; content:`GET`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET POLICY Telegram API Cerficate Observed`; flow:established,to client; tls cert subject; content:`CN api.telegram ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mermaid Ransomware Variant CnC Activity M3`; flow:established,to server; content:`GET`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mermaid Ransomware Variant CnC Activity M2`; flow:established,to server; urilen: 50; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mermaid Ransomware Variant CnC Activity M1`; flow:established,to server; content:`GET`; http method; ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Muhstik IRC CnC Checkin`; flow:established,to server; dsize: Added 2020 01 23 19:24:37 UTC
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PPI User Agent (InstallCapital)`; flow:to server,established; content:`User Agent 3a 20 InstallCapital ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gamaredon CnC Observed in DNS Query`; dns query; content:`masseffect.space`; nocase; isdataat:1,relative; metadata ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (BrushaLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Tomato Router Default Credentials (admin:admin)`; flow:to server,established; content:`GET`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Tomato Router Default Credentials (root:admin)`; flow:to server,established; content:`GET`; http method ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Magecart CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`jquerysmartstack ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Cert (Magecart)`; flow:from server,established; tls cert subject; content:`CN jqueryextplugin ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Thanatos Ransomware Variant Pico User Agent`; flow:established,to server; content:`Mozilla/5 ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Cert (Magecart)`; flow:from server,established; tls cert subject; content:`CN jquerysmartstack ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain Observed in DNS Query`; dns query; content:`jquerysmartstack.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET POLICY Website Hosting Service Observed in DNS Query`; dns query; content:`dynapps.be`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY HTTP Request to IP Logging Service (2no .co)`; flow:established,to server; content:`2no.co`; depth:6 ...
alert dns $HOME NET any any any (msg:`ET TROJAN ELF/Rekoobe CnC Observed in DNS Query`; dns query; content:`huawel.site`; nocase; isdataat:1,relative; metadata ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Satan/5ss5c Ransomware CnC Activity`; flow:established,to server; content:`GET`; http method; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Magecart CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`jqueryextplugin ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ELF/Rekoobe CnC)`; flow:from server,established; content:` 16 `; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DADJOKE/Rail Tycoon Payload Extraction`; flow:to server,established; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DADJOKE/Rail Tycoon Payload Execution`; flow:to server,established; content:`GET`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN MageCart CnC Domain Observed in DNS Query`; dns query; content:`jqueryextplugin.com`; nocase; isdataat:1,relative ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781)`; flow:established ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (AZORult CnC)`; flow:established,to client; tls cert subject; content:`CN ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (AZORult CnC)`; flow:established,to client; tls cert subject; content:`CN ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Nemty Ransomware CnC Checkin`; flow:established,to server; content:`GET`; http method; content:`.php ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Nemty Ransomware Payment Page`; flow:established,to client; content:`200`; http stat code; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Nemty Ransomware Payment Page ID File Upload`; flow:established,to server; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN Group 21 CnC Domain Observed in DNS Query`; dns query; content:`quwa paf.servehttp.com`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M5`; flow:established,to server; urilen: Added 2020 01 16 19:12:06 UTC
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M4`; flow:established,to server; urilen:10; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M3`; flow:established,to server; urilen:13; content:`GET`; http method; content ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/MillionLoader CnC Activity (Outbound)`; flow:established,to server; content:`ggin 0b 00 00 00 ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M2`; flow:established,to server; urilen:11; content:`GET`; http method; content ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/MillionLoader CnC Activity (Inbound)`; flow:established,from server; content:`ggin 00 00 00 00 00 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/MillionLoader CnC Init Activity`; flow:established,to server; dsize:16; content:`ggin 00 00 00 00 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Certificate Base64 Encoded Executable Inbound`; flow:established,to client; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Generic Miarroba Phishing Landing`; flow:established,to client; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SMS Bomber Activity`; flow:to server,established; content:`POST`; http method; content:` v `; http client ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Certificate Containing Possible Base64 Encoded Powershell Inbound`; flow:established,to client ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerSploit/PowerView SMTP Data Exfil`; flow:established,to server; content:`Subject 3a 20 DC 3a `; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Possible PowerSploit/PowerView .ps1 Inbound`; flow:established,to client; content:`200`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Certificate Containing Double Base64 Encoded Executable Inbound`; flow:established,to client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick download ver2 bot`; flow:established,to server; content:`GET`; http method; content:`?a irs ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Known Key 1`; flow:established,to server; content:`POST`; http method; content:`p1 P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Known Key 2`; flow:established,to server; content:`POST`; http method; content:`p1 ybEsTxhqPuN4uVkemt6WjxaJN8jBdAGLxKeY9a4CnMTLSSq2 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick download bot known key`; flow:established,to server; content:`GET`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick download ver1 bot`; flow:established,to server; content:`GET`; http method; content:`?x UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores`; flow:from server,established ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN TROJ NAIKON.A SSL Cert`; flow:established,from server; content:` 55 04 03 `; content:` 04 donc`; fast ...
alert dns $HOME NET any any any (msg:`ET WEB CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain`; dns query; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Checkin M2`; flow:established,to server; content:`POST`; http method; content:`p3 `; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Checkin M1`; flow:established,to server; content:`POST`; http method; content:`p3 Qzpc ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OilRig APT PowDesk Powershell Check`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Request`; flow:established,to server; content:`POST`; http method; content:`p t p1 ` ...
alert dns $HOME NET any any any (msg:`ET POLICY GG Url Shortener Observed in DNS Query`; dns query; content:`gg.gg`; nocase; depth:5; isdataat:1,relative; metadata ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Observed Malicious SSL Cert (Office365 Phish Landing Page 2020 01 09)`; flow:established,to client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PowerTrick Task Answer`; flow:established,to server; content:`POST`; http method; content:`p3 `; http ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781) M2`; flow ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`cdn digicert i31.com`; nocase; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN 401TRG PS/PowDesk Checkin (APT34)`; flow:to server,established; content:`.php?devicename `; http uri ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`mozilla yahoo.com`; nocase; depth:17 ...
alert dns $HOME NET any any any (msg:`ET TROJAN DonotGroup CnC Domain Observed in DNS Query`; dns query; content:`mimestyle.xyz`; nocase; isdataat:1,relative; metadata ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`cdn gmail us.com`; nocase; depth:16 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`google download.com`; nocase; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`securecloudbase.com`; nocase; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`cdn google eu.com`; nocase; depth:17 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Ursnif SAIGON Variant CnC Domain`; dns query; content:`cdn mozilla sn45.com`; nocase; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OZV Variant Checkin`; flow:established,to server; content:`/cpa`; http uri; content:`.asp?mac `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT/TransparentTribe Style Request`; flow:established,to server; content:` 2f 50 30 75 72 57 61 31 74 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN NZK Variant`; flow:established,to server; content:`GET`; http method; content:`.php?info ID: `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT/TransparentTribe CnC Checkin`; flow:established,to server; content:`POST`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Lookup (whois .pconline .com .cn)`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Magician/M461c14n Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN DonotGroup Staging Domain Observed in DNS Query`; dns query; content:`comodo.world`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Legion Loader Activity Observed`; flow:established,to server; content:`User Agent 3a 20 pussy`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Rarog Stealer CnC Checkin`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Rarog Stealer CnC Keep Alive`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AstroBot CnC Activity`; flow:established,to server; content:`POST`; http method; content:`/gate.php` ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Cert (Magecart)`; flow:from server,established; tls cert subject; content:`CN googlc analytics ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Magecart CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`googlc analytics ...
alert dns $HOME NET any any any (msg:`ET TROJAN DonotGroup CnC Domain Observed in DNS Query`; dns query; content:`bestbuy.zapto.org`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS Observed Suspicious UA (DxD)`; flow:established,to server; content:`DxD`; http user agent; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Zeoticus Ransomware CnC Activity`; flow:established,to server; content:`GET`; http method; content:`supersecretstring ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Magecart CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`googlo analytics ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Cert (Magecart)`; flow:from server,established; tls cert subject; content:`CN googlo analytics ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain Observed in DNS Query`; dns query; content:`googlo analytics.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain Observed in DNS Query`; dns query; content:`googlc analytics.net`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Legion Loader Activity Observed (carlos castaneda)`; flow:established,to server; content:`User Agent ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Arechclient2 Backdoor CnC Init`; flow:established,from server; dsize: Added 2020 01 02 20:45:23 UTC
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Lampion CnC Activity`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Kimsuky Operation Blue Estimate CnC Activity`; flow:established,to server; content:`POST`; http method ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Arechclient2 Backdoor CnC Checkin`; flow:established,to server; content:` 7b 22 54 79 70 65 22 3a 22 43 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buran Ransomware UA`; flow:established,to server; content:`User Agent 3a 20 fuck u 0d 0a `; ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Arechclient2 Backdoor CnC Keep Alive`; flow:established,from server; dsize: Added 2020 01 02 20:45:23 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buran Ransomware UA`; flow:established,to server; content:`User Agent 3a 20 63 6f 63 6b 0d 0a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buran Ransomware UA`; flow:established,to server; content:`User Agent 3a 20 autizm 0d 0a `; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Buran Ransomware UA`; flow:established,to server; content:`User Agent 3a 20 get you 0d 0a ` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant UA Outbound (Ouija x.86)`; flow:established,to server; content:`User Agent 3a 20 Ouija ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/ViSystem CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`.php?hwid ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE 2019 7256)`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe`; flow:established,to server; content:`.exe`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious Chmod Usage in URI (Outbound)`; flow:to server,established; content:`chmod`; fast pattern; nocase ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE 2019 7256)`; flow:established,to server ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Cert (Magecart)`; flow:from server,established; tls cert subject; content:`CN magento statistics ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Magecart CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`magesource.su ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/DownloadAssistant.G Variant Error Report`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/DownloadAssistant.Q Variant Checkin`; flow:established,to server; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain Observed in DNS Query`; dns query; content:`magesource.su`; nocase; isdataat:1,relative; classtype ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dark Nexus IoT Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Malicious SSL Cert (Magecart)`; flow:from server,established; tls cert subject; content:`CN magesource ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Dark Nexus IoT Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 dark NeXus ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/BlackNET CnC Requesting Command`; flow:established,to server; content:`GET`; http method; content ...
alert tls $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Observed Upatre CnC Domain in TLS SNI`; flow:established,to server; tls sni; content:`poweruphosting.com ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Upatre CnC)`; flow:established,to client; tls cert subject; content:`CN vcomdesign ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/BlackNET CnC Keep Alive`; flow:established,to server; content:`GET`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/BlackNET CnC Checkin`; flow:established,to server; content:`GET`; http method; content:`.php?vicID ...
alert dns $HOME NET any any any (msg:`ET POLICY Suspicious ToTok Mobile Application DNS Request`; dns query; content:`capi.im.totok.ai`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Valak Checkin Server Response`; flow:established,to client; content:`200`; http stat code; file ...
#alert tcp $EXTERNAL NET any $HOME NET 25667,47000 (msg:`ET TROJAN XServer Backdoor Communication Setup Initiate`; flow:established,to server; flowbits:isset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Valak Plugin Data Exfil`; flow:established,to server; content:`POST`; http method; urilen: 60 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Valak Stage 2 Response Plugin`; flow:established,to client; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Valak Checkin`; flow:established,to server; content:`GET`; http method; urilen: 60; content:` bm9uY2U9 ...
#alert tcp $EXTERNAL NET any $HOME NET 25667,47000 (msg:`ET TROJAN XServer Backdoor Communication Setup Request`; flow:established,to server; flowbits:set,ET ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Valak Stage 2 Response Task`; flow:established,to client; content:`200`; http stat code; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Valak Stage 2 Request`; flow:established,to server; content:`GET`; http method; urilen: 60 ...
alert tcp $EXTERNAL NET any $HOME NET 1024: (msg:`ET TROJAN Possible XServer Backdoor Certificate Observed`; flow:established,to server; content:` 16 `; depth:1 ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (DonotGroup CnC)`; flow:established,to client; tls cert subject; content: ...
alert smtp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Unknown SMTP Checkin`; flow:established,to server; content:`Subject: PCInfo:`; fast pattern; content ...
#alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET DELETED Possible OptionsBleed (CVE 2017 9798)`; flow:established,to server; content:`OPTIONS`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY External IP Lookup free .ipwhois .io `; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/TinyNuke CnC Checkin`; flow:established,to server; content:`POST`; http method; content:!` `; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Watchfire AppScan Web App Vulnerability Scanner`; flow:established,to server; content:`/appscan fingerprint ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DiamondFox HTTP Post CnC Checkin M3`; flow:established,to server; content:`POST`; http method; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (Sidewinder APT CnC)`; flow:established,to client; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/MailerBot CnC Activity`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT TP LINK Archer C5 v4 (CVE 2019 7405)`; flow:established,to server; content:`/cgi/setPwd?pwd `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Gamaredon HEAD Request for .dot file on ddns.net`; content:`HEAD`; http method; content:`.dot ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ShivaGood Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method; content: ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT NetGain Systems Enterprise Manager CVE 2017 16602 (Inbound)`; flow:established,to server; content:`POST`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Citrix NetScaler SD WAN 9.1.2.26.561201 Devices CVE 2017 6316 (Outbound)`; flow:established,to server ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)`; flow:established,to server; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)`; flow:established,to server; content ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Citrix NetScaler SD WAN 9.1.2.26.561201 Devices CVE 2017 6316 (Inbound)`; flow:established,to server; urilen ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)`; flow:established,to server; content:`GET`; http method ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE 2013 5912 (Inbound)`; flow:established ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006 4000 (Inbound)`; flow:established,to server; content:`GET`; http method ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT NetGain Systems Enterprise Manager CVE 2017 16602 (Outbound)`; flow:established,to server; content: ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT ACTi ASOC 2200 Web Configurators versions Added 2019 12 16 19:02:20 UTC
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)`; flow:established,to server; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE 2013 5912 (Outbound)` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006 4000 (Outbound)`; flow:established,to server; content:`GET`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT ACTi ASOC 2200 Web Configurators versions Added 2019 12 16 19:02:20 UTC
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Yachtcontrol Webservers RCE CVE 2019 17270 (Inbound)`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE 2019 118396/CVE 2017 14127 (Outbound)`; flow:established ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE 2019 118396/CVE 2017 14127 (Inbound)`; flow:established,to server ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE 2019 16072 (Outbound)`; flow:established,to server; content ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE 2019 16072 (Inbound)`; flow:established,to server; content: ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query for APT40 Possible DADSTACHE CnC Domain`; dns query; content:`nethosting.viewdns.net`; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Yachtcontrol Webservers RCE CVE 2019 17270 (Outbound)`; flow:established,to server; content:`GET`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BrowserStealer Data Exfil M3`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BrowserStealer CnC Keep Alive`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BrowserStealer Data Exfil M2`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BrowserStealer Data Exfil M1`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN BrowserStealer CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`.php? ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN AZORult v3.2 Server Response M3`; flow:established,to client; content:`200`; http stat code; file data ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MalDoc Exfil (2019 12 12)`; flow:established,to server; content:`GET`; http method; content:`/info1.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN CrownAdPro CnC Activity M1`; flow:established,to server; content:`/ixset.php?ip `; http uri; depth:14 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN AZORult v3.2 Server Response M2`; flow:established,to client; content:`200`; http stat code; file data ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN AZORult v3.2 Server Response M1`; flow:established,to client; content:`200`; http stat code; file data ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN AZORult v3.3 Server Response M3`; flow:established,to client; content:`200`; http stat code; file data ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN AZORult v3.3 Server Response M2`; flow:established,to client; content:`200`; http stat code; file data ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS BottleEK Plugin Check Response`; flow:established,to server; content:`GET`; http method; content ...
Number of topics: 500
Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 2014-01-10 - JinsuNa?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats