1000 Recent Changes in Main Web retrieved at 11:54 (GMT)

alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2`; flow:to server,established; content:`GET` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Pony DLL Download`; flow:established,to server; content:`/pm`; http uri; pcre:`/^\d ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible ReactorBot .bin Download`; flow:established,to server; content:`GET`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from WinHttpRequest non exe extension`; flow:established,to client; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from MSXMLHTTP non exe extension M2`; flow:established,to client; file ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2`; flow:established,to client; file ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET CURRENT EVENTS Possible Magento Directory Traversal Attempt`; flow:established,to server; content:`GET` ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)`; flow:established,from server; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)`; flow:established,from server; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Malicious wininet UA Downloading EXE`; flow:established,from server; flowbits:isset,ET ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Download file with BITS via LNK file (Likely Malicious)`; flow:established,from server; file ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Trojan Multi part Macro Download M1`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious Doc Downloading EXE`; flow:established,from server; flowbits:isset,ET.MalDocEXEPrimer ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS rechnung zip file download`; flow:established,to server; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FlashPack Payload Download Oct 29`; flow:established,to server; content:`/lofla1.php`; http ...
alert tcp $EXTERNAL NET 445,139 $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download (SMB UNICODE)`; flow:to client,established; content:`S 00 ...
alert tcp $EXTERNAL NET 445,139 $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download (SMB)`; flow:to client,established; content:`Software 5c ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download (UNICODE)`; flow:to client,established; file data; content:`S ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible SandWorm INF Download`; flow:to client,established; file data; content:`Software 5c ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CryptoLocker TorComponent DL`; flow:from server,established; flowbits:isset,FakeIEMinimal ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS ZeroLocker EXE Download`; flow:established,from server; flowbits:isset,ET.http.binary; file ...
#alert tcp $EXTERNAL NET 443,$HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS TorExplorer Certificate Potentially Linked To W32/Cryptowall.Ransomware`; flow ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Common Bad Actor Indicators Used in Various Targeted 0 day Attacks`; flow:from server,established ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible FakeAV binary download (setup)`; content:`GET`; http method; content:`index.php?key ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TecSystems (Possible Mask) Signed PE EXE Download`; flow:established,to client; flowbits:isset ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible malicious zipped executable`; flow:established,from server; file data; content:`PK ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS ehow/livestrong Malicious Flash 10/11`; flow:established,to server; urilen:13; content:`.swf ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Metasploit 2013 3346`; flow:established,from server; file data; content:`5 0 R 0a endobj 0a 5 0 obj ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Fake Codec Download`; flow:established,to server; content:`/Setup.exe?tid `; http uri ...
#alert tcp $HTTP SERVERS any $EXTERNAL NET 21 (msg:`ET CURRENT EVENTS Fredcot campaign payload download`; flow:to server,established; content:`PASS fredcot123 0d ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Malicious Cookie Set By Flash Malvertising`; flow:established,to server; content:` 0d 0a Cookie ...
#alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET CURRENT EVENTS Possible Sakura Jar Download Oct 22 2013`; flow:to server,established; content:!`.jar`; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible FortDisco POP3 Site list download`; flow:established,to server; content:`GET`; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS MALVERTISING Flash URI /loading?vkn `; flow:established,to server; content:`/loading?vkn ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Tor2Web .onion Proxy Service SSL Cert (2)`; flow:established,from server; tls cert subject; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious iframe`; flow:established,from server; file data; content:`).) ? \r\n\s name \r\n ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious iframe`; flow:established,from server; file data; content:`).) ? \r\n\s name \r\n ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS .HTM being served from WP 1 flash gallery Upload DIR (likely malicious)`; flow:established,to ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Incognito Malicious PDF Requested /getfile.php`; flow:established,to server; content:`/getfile ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Unknown Java Malicious Jar /eeltff.jar`; flow:to server,established; content:`/eeltff ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown java ara Bin Download`; flow:established,to server; content:`java ara name `; http uri ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS MALVERTISING Alureon Malicious IFRAME`; flow:established,to client; file data; content:`name ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS MALVERTISING OpenX BrowserDetect.init Download`; flow:established,to client; content:`OAID ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious JAR olig`; flow:established,from server; content:` 00 00 META INF/PK 0a `; fast pattern ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Excel with Embedded .emf object downloaded`; flow:established,to client; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS CVE 2014 6332 Sep 01 2016 (HFS Actor) M2`; flow:established,from server; content:`Server 3a 20 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS CVE 2014 6332 Sep 01 2016 (HFS Actor) M1`; flow:established,from server; file data; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Facebook password stealing inject Jan 04`; flow:from server,established; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible vBulletin object injection vulnerability Attempt`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil JavaScript Injection Sep 29 2015`; flow:established,to client; file data; content:` 76 61 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY EXE Embeded in Page Likely Evil M2`; flow:established,from server; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1`; flow:established,from server; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY GENERIC ShellExecute in URLENCODE`; flow:to client,established; file data; content:` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps`; flow:to client,established; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY GENERIC CollectGarbage in Hex String No Seps`; flow:to client,established; file data ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CVE 2014 6332 DECS2`; flow:established,from server; file data; content:`102,117,110 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CVE 2014 6332 Arrays with Offset Dec 23`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HanJuan Landing Dec 10 2014`; flow:established,from server; file data; content:` 27 .replace ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlashPack Secondary Landing Oct 29`; flow:established,from server; file data; content:`Windows ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Generic URLENCODED CollectGarbage`; flow:established,from server; file data; content ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN TSPY POCARDL.U Possible FTP Login`; flow:established,to server; content:`USER user drupalzf`; reference ...
alert udp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE 2014 0195`; content:` 16 fe fd 00 00 ...
alert udp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE 2014 0195`; content:` 16 fe ff 00 00 ...
alert udp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE 2014 0195`; content:` 16 01 00 00 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Rawin Flash Landing URI Struct March 05 2014`; flow:established,to server; content:`.php?b ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Obfuscation Technique Used in CVE 2014 0322 Attacks`; flow:established,from server; file data ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS EXE Accessing Kaspersky System Driver (Possible Mask)`; flow:established,to client; flowbits ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS StyX Landing Jan 29 2014`; flow:from server,established; file data; content:` ^\s )\s ? \s ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Browlock Landing Page URI Struct`; flow:to server,established; content:`/?flow id`; http uri ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FaceBook IM Web Driven Facebook Trojan Download`; flow:established,to server; content:`/dlimage4 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS W32/Caphaw DriveBy Campaign Ping.html`; flow:established,to server; content:`/ping.html?id ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS W32/Caphaw DriveBy Campaign Statistic.js`; flow:established,to server; content:`/statistic.js ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible FortDisco Wordpress Brute force Site list download 10 wp login.php`; flow:established ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Fake Trojan Dropper purporting to be missing application page landing`; flow:established,from ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13 4`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13 3`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13 2`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit Landing 07/22/13`; flow:established,to client; flowbits:isnotset,FlimKit.Landing; flowbits ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Injection var j 0`; flow:established,to client; file data; content:`00 3a 00 3a 00 3b path ...
#alert http $EXTERNAL NET 80 $HOME NET any (msg:`ET CURRENT EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013`; flow:established,from server; file ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Metasploit CVE 2013 0422 Jar`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Escaped Unicode Char in Location CVE 2012 4792 EIP % Hex Encode`; flow:established,from server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Escaped Unicode Char in Window Location CVE 2012 4792 EIP`; flow:established,from server; file ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Drupal Mass Injection Campaign Outbound`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Drupal Mass Injection Campaign Inbound`; flow:established,from server; file data; content:`if ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS SofosFO/NeoSploit possible second stage landing page`; flow:established,to server; urilen: 25 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FlimKit/Other Landing Page 100HexChar value and applet`; flow:established,to client; file ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS NeoSploit Version Enumerated null`; flow:established,to server; urilen:85; content:`/null ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS NeoSploit Version Enumerated Java`; flow:established,to server; urilen: 85; content:`/1 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown s 1 Landing Page 100HexChar value and applet`; flow:established,to client; file ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown s 1 Landing Page 10HexChar Title and applet`; flow:established,to client; file data ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Base64 Landing Page Received base64encode(GetOs()`; flow:established,to client; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FoxxySoftware Landing Page Received applet and 0px`; flow:established,to client; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS FoxxySoftware Landing Page Received foxxysoftware`; flow:established,to client; content ...
#alert http $HOME NET any $HOME NET any (msg:`ET CURRENT EVENTS Nikjju Mass Injection Internal WebServer Compromised`; flow:established,from server; file data; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Nikjju Mass Injection Compromised Site Served To Local Client`; flow:established,from server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS landing page with malicious Java applet`; flow:established,from server; file data; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Modified Metasploit Jar`; flow:from server,established; flowbits:isset,ET.http.javaclient.vulnerable ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY PDF Containing Subform with JavaScript`; flow:established,to client; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Driveby Delivered Malicious PDF`; flow:established,from server; file data; content:`%PDF ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS User Agent used in Injection Attempts`; flow:established,to server; content:`User Agent 3a ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Lilupophilupop Injected Script Being Served from Local Server`; flow:established,from server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Lilupophilupop Injected Script Being Served to Client`; flow:established,to client; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Phoenix landing page JAVASMB`; flow:established,to client; file data; content:`JAVASMB()`; classtype ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious 1px iframe related to Mass Wordpress Injections`; flow:established,from server; content ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests photobucket.com. `; content:` 0b photobucket 03 ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests upload.wikimedia.com. `; content:` 06 upload 09 ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests img.youtube.com. `; content:` 03 img 07 youtube ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests wordpress.com. `; content:` 09 wordpress 03 com ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests blogger.com. `; content:` 07 blogger 03 com`; ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests picasa.com. `; content:` 06 picasa 03 com`; nocase ...
#alert udp !$DNS SERVERS any $DNS SERVERS 53 (msg:`ET CURRENT EVENTS Wordpress possible Malicious DNS Requests flickr.com. `; content:` 05 flickr 03 com`; nocase ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Known Injected Credit Card Fraud Malvertisement Script`; flow:established,to client; content ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS cssminibar.js Injected Script Served by Local WebServer`; flow:established,from server; ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Sidename.js Injected Script Served by Local WebServer`; flow:established,from server; content ...
#alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET CURRENT EVENTS Request to malicious info.php drive by landing`; flow:established,to server; content ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Internal WebServer Compromised By Lizamoon Mass SQL Injection Attacks`; flow:established ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS WindowsLive Imposter Site Landing Page`; flow:established,from server; content:`MWL`; classtype ...
#alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET CURRENT EVENTS Possible Neosploit Toolkit download`; flow:established,to server; content:`GET`; nocase ...
#alert http $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Driveby bredolab hidden div served by nginx`; flow:established,to client; content:` ...
#alert http $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Malvertising drive by kit encountered Loading...`; flow:established,to client; content ...
#alert icmp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Gimmiv Infection Ping Inbound`; icode:0; itype:8; dsize:20; content:`abcde12345fghij6789`; reference ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt`; flow:established,to server; content:`/action?dns status ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT AsusWRT RT AC750GF Cross Site Request Forgery`; flow:from server,established; file data; content:`` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Acunetix scan in progress acunetix variable in http uri`; flow:established,to server; content:` 24 acunetix ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN Acunetix scan in progress acunetix wvs security test in http uri`; flow:established,to server; content ...
alert http any any $HOME NET any (msg:`ET EXPLOIT D Link DSL 2740R Remote DNS Change Attempt`; flow:established,to server; content:`GET`; http method; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HT SWF Exploit RIP M2`; flow:established,from server; file data; content:``; content:`return ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HT SWF Exploit RIP`; flow:established,from server; file data; content:``; content:`getEnvInfo ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Elasticsearch CVE 2015 1427 Exploit Campaign SSL Certificate`; flow:established,from ...
#alert udp $HOME NET any $EXTERNAL NET 53 (msg:`ET CURRENT EVENTS Possible Upatre DNS Query (jamco.com.pk)`; content:` 01 00 00 01 00 00 00 00 00 00 `; depth:10 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert www.eshaalfoundation.org`; flow:established,from server; content:` 16 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Common URI Struct Feb 12 2015`; flow:established,to server; content:`GET`; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FlashPack Flash Exploit Nov 20 2014`; flow:established,to server; content:`/Main.swf`; http ...
#alert http $HOME NET any 216.157.99.0/24,72.51.32.0/20,76.74.152.0/21 any (msg:`ET CURRENT EVENTS Possible HanJuan Flash Exploit`; flow:to server,established ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert www.tradeledstore.co.uk`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert Oct 24 2014`; flow:established,from server; content:` 16 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mypreschool.sg`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert glynwedasia.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert santa.my`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls 66.147.244.132 any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert bluehost.com Aug 27 2014`; flow:established,from server; content:` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert chatso.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert paydaypedro.co.uk`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert worldbuy.biz`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert deserve.org.uk`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert plastics technology.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mdus pp wb12.webhostbox.net`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert turnaliinsaat.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert walletmix.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert bloodsoft.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert efind.co.il`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert udderperfection.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert itiltrainingcertworkshop.com`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert slmp 550 105.slc.westdc.net`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert technosysuk.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert vcomdesign.com`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert picklingtank.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert uleideargan.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert lingayasuniversity.edu.in`; flow:established,from server; content:` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert trainthetrainerinternational.com`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tridayacipta.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert nbc mail.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tristacey.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert adoraacc.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert sportofteniq.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert hebergement solutions.com`; flow:established,from server; content:` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert delanecanada.ca`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert dominionthe.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert pejlain.se`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert eastwoodvalley.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert abarsolutions.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert jojik international.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mtnoutfitters.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert erotikturk.com`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ssshosting.net`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert dineshuthayakumar.in`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert mentoringgroup.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert cyclivate.com`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tecktalk.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ara photos.net`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert pouyasazan.org`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert epr co.ch`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert directory92.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert developmentinn.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert freeb4u.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert tradeledstore.co.uk`; flow:established,from server; content:` 55 04 ...
#alert tcp $HOME NET any $EXTERNAL NET 25,587 (msg:`ET MOBILE MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP`; flow:established,to server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert power2.mschosting.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert adodis.com`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ns7 777.777servers.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert chinasemservice.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert ns2.sicher.in`; flow:established,from server; content:` 55 04 03 `; ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert www.senorwooly.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert udderperfection.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert businesswebstudios.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert 66h.66hosting.net`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk`; flow:established,from server; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert host galaxy.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert disenart.info`; flow:established,from server; content:` 55 04 03 `; ...
#alert tcp $HOME NET any $EXTERNAL NET 25,587 (msg:`ET TROJAN KLPROXY Checkin via SMTP`; flow:to server,established; content:`Subject 3a `; content:`C H E G O ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert 1stopmall.us`; flow:established,from server; content:` 55 04 03 `; content ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert server.abaphome.net`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert migsparkle.com`; flow:established,from server; content:` 55 04 03 ` ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert michaelswinecellar.com`; flow:established,from server; content:` 55 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert yellowdevilgear.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert cactussports.com`; flow:established,from server; content:` 55 04 03 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert thelabelnashville.com`; flow:established,from server; content:` 55 04 ...
#alert tls $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert twitterbacklinks.com`; flow:established,from server; content:` 55 04 ...
#alert tcp $HOME NET any $EXTERNAL NET 25,26,587,2525 (msg:`ET TROJAN Pain File Stealer sending wallet.dat via SMTP`; flow:to server,established; content:`Subject ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert deslematin.ca`; flow:established,from server; content:` 55 04 03 `; ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert karinejoncas.com`; flow:established,from server; content:` 55 04 03 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linux DDoS bot Antiq IRC`; flow:established,to server; content:`PRIVMSG 20 #`; content:`status checking ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert faithmentoringandmore.com`; flow:established,to client; content:` 55 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert July 14 2014`; flow:established,to client; content:` 55 04 03 `; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert new install.privatedns.com`; flow:established,from server; content: ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert acesecureshop.com`; flow:established,to client; content:` 55 04 03 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert 999servers.com`; flow:established,to client; content:` 55 04 03 `; content ...
#alert tcp $HOME NET any $EXTERNAL NET 1433 (msg:`ET TROJAN AMB SQL Checkin`; flow:established,to server; content:`I 00 N 00 S 00 E 00 R 00 T`; content:`I 00 N ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)`; flow:established ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2`; flow:established,from server; flowbits ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)`; flow:established,from server; flowbits ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Downloader.Win32.Tesch.A Bot Command (Proxy command)`; flow:established,from server; flowbits:isset,ET ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Sharik C2 Incoming Crafted Request`; flow:established,from server; content:` 4d 00 02 02 00 `; ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Dyreza RAT Checkin Response`; flow:established,to client; content:` a5 46 da 53 0a 00 68 00 65 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert webhostingpad.com`; flow:established,from server; content:` 16 `; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Cert`; flow:established,to client; content:` 55 04 03 `; content:` 1e static ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Metasploit Various Java Exploit Common Class name`; flow:established,from server; flowbits:isset ...
#alert tcp $EXTERNAL NET any $SMTP SERVERS 25,587 (msg:`ET CURRENT EVENTS .gadget Email Attachment Possible Upatre`; flow:established,to server; content:`Content ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Zendran ELF IRCBot Server Banner`; dsize: 14; flow:established,from server; content:` 3a Hell ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Zendran ELF IRCBot Joining Channel 2`; flow:established,to server; content:`PASS eYmUrmyAfG ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Compromised site dfsdirect.ca`; flow:established,to client; content:` 55 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible Backdoor.Unrecom Download`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Compromised site sabzevarsez.com`; flow:established,to client; content:` ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Possible Upatre SSL Compromised site iclasshd.net`; flow:established,to client; content:` 55 ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ftpchk3.php possible upload success`; flow:to client,established; content:` 0d 0a 150 `; content:`ftpchk3 ...
#alert http any 80 any any (msg:`ET CURRENT EVENTS Win32.RBrute http response`; flow:to client,established; file data; content:`kenji oke 0d 0a `; depth:24; flowbits ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site kionic`; flow:established,to client; content:` 55 04 03 `; content ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site potpourriflowers`; flow:established,to client; content:` 55 04 03 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site trudeausociety`; flow:established,to client; content:` 12 trudeausociety ...
#alert tcp $EXTERNAL NET any $HOME NET 443 (msg:`ET TROJAN RAT FTP File Download Command`; flow:established,to server; dsize: 0; content:`/CD 5C 5C 5C `; depth ...
#alert tcp $HOME NET any $EXTERNAL NET 37 (msg:`ET TROJAN RAT SMTP Data Exfiltration`; flow:established,to server; content:`X Mailer 3A SysMon v1.0.0`; reference ...
#alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN RAT Keep Alive Server Response`; flow:established,from server; dsize:2; content:`/P`; depth:2; flowbits ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DLL in jjencode`; flow:established,from server; file data; content:` 22 5c 5c 5c 5c 5c 5c 5c ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.joggver backdoor initialization packet`; flow:established,to server; dsize:32; content:` 03 ...
#alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement`; flow:established,to client; dsize ...
#alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN W32/FakeFlash.Dropper PutInformation CnC Beacon`; flow:established,to server; dsize:18; content:`PutInformation ...
#alert tcp $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement`; flow:established,to client; dsize:12; content ...
#alert tcp $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon`; flow:established,to server; dsize:8; content:`PutToken` ...
#alert udp $HOME NET any $EXTERNAL NET 53 (msg:`ET TROJAN Ebury SSH Rootkit data exfiltration`; content:` 12 0b 01 00 00 01 `; depth:6; pcre:`/^\x12\x0b\x01\x00 ...
#alert tcp $HOME NET any $EXTERNAL NET 21 (msg:`ET TROJAN FTP File Upload BlackPOS Naming Scheme`; flow:established,to server; content:`STOR `; depth:5; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading VBS`; flow:to server,established; content:`SIZE explore.vbs ...
#alert tcp $HOME NET any $EXTERNAL NET 444 (msg:`ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading DLL`; flow:to server,established; content:`SIZE libcurl 4.dll ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 10`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 9`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 8`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 7`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 6`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 5`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 4`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 3`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 2`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp any any any 445 (msg:`ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 1`; flow:to server,established; flowbits:isset,ET.kaptoxa; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AALV checkin`; flow:to server,established; content:`CHEGOU NOIS`; fast pattern; content:` 20 7c 20 PLUGIN ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Hostile dsgweed.class JAR exploit`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WinSpy.pob Sending Data over SMTP`; flow:to server,established; content:`filename `; content:`PC Active ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET CURRENT EVENTS Upatre SSL Compromised site appsredeeem`; flow:established,to client; content:` 12 www.appsredeem ...
#alert tcp $HOME NET any $EXTERNAL NET 2012:2014 (msg:`ET TROJAN Win32.Morix.B checkin`; flow:to server,established; content:` 00 00 42 42 43 42 43 `; offset:2 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Trojan Downloader Win32.Genome.AV server response`; flow:to client,established; file data; content: ...
#alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET CURRENT EVENTS Fredcot campaign php5 cgi initial exploit`; flow:to server,established; content:!`Accept ...
#alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN SSH Connection on 443 Mevade Banner`; flow:to server,established; content:`SSH 2.0 PuTTY Local 3a ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN VBS.ayr CnC command response`; flow:established,from server; file data; content:`send 3c 7c 3e `; within ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Sakura Java Exploit Recieved Atomic`; flow:established,to client; file data; content:`PK ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command Response (Remote Cam)`; flow:to server,established; content:`USB Video Device ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command (Remote Cam)`; flow:from server,established; content:`CAM 7c 27 7c 27 7c ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command (Remote Desktop)`; flow:from server,established; content:`sc~ 7c 27 7c 27 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Bladabindi/njrat CnC Command Response (File Manager)`; flow:to server,established; content:`rn 7c 27 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool byte command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool byte command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool post2 command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool post1 command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool smart command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool long command received key okokokjjk`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Drive DDoS Tool get command received key okokokjjk`; flow:established,from server; file data; content ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.XGstone Keepalive to CnC`; flow:established,to server; content:` ed d2 c6 f2 b9 ca 1e df 5c ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.smallfish Keepalive to CnC`; flow:established,to server; content:` 19 07 1b 24 3b 7a 9d e7 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.xiaoxiaohuli Keepalive to CnC`; flow:established,to server; content:` 4e c3 69 55 10 ad 3f ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.wwwst@Admin Keepalive to CnC`; flow:established,to server; content:` b4 7d 56 44 f3 23 e2 a2 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.gwx@123 Keepalive to CnC`; flow:established,to server; content:` 6c 6e d3 08 a6 26 34 c7 bf ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.key@123 Keepalive to CnC`; flow:established,to server; content:` ef 80 7b ec 93 e6 92 06 17 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.happyyongzi Keepalive to CnC`; flow:established,to server; content:` ad 4a 6c bb a7 9c 30 3e ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.suzuki Keepalive to CnC`; flow:established,to server; content:` d4 77 eb ff b6 94 cc d1 25 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.keaidestone Keepalive to CnC`; flow:established,to server; content:` 82 ca 6f eb 66 ed 9e 86 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.th3bug Keepalive to CnC`; flow:established,to server; content:` 35 d1 50 14 94 b2 24 ac 9b ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.admin@388 Keepalive to CnC`; flow:established,to server; content:` b0 f6 8f d3 1c 2b 0e 50 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN SpamBot CnC Server Configuration File Response`; flowbits:isset,et.stealrat.config; flow:established ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response (Outbound) 4`; flow:established,to client; file data; content ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response Octal (Outbound)`; flow:established,to client; file data; content ...
#alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET CURRENT EVENTS c0896 Hacked Site Response (Outbound) 2`; flow:established,to client; file data; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS DRIVEBY Rawin Java Exploit dubspace.jar`; flow:established,to server; content:`/dubspace ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot Botkill command`; flow:established,to server; content:`PRIVMSG `; depth:8; content:`Botkill ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot Flood command`; flow:established,to server; content:`PRIVMSG `; depth:8; content:`Flood ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot Download and Execute Scheduled file command`; flow:established,to server; content:`PRIVMSG ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot CnC2`; flow:established,to server; dsize: Added 2020 11 20 19:36:41 UTC alert ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AryaN IRC bot CnC1`; flow:established,to server; dsize: Added 2020 11 20 19:36:41 UTC alert ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor File Upload Response Header`; flow:to server,established; content:` ac 92 4b 04 ff cf ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor File Download Response Header`; flow:to server,established; content:` ac 92 4b 04 ff ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor File Manager Response Header`; flow:to server,established; content:` ac 92 4b 04 ff 37 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBoy Backdoor SysInfo Response header`; flow:to server,established; content:` ac 09 7b 09 4b 2a 92 ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN STARSYPOUND Client Checkin`; flow:established,from server; content:` (SY)# `; depth:7; reference:md5 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN RevProxy ClickFraud MIDUIDEND`; flow:established,to server; dsize:46; content:`MID`; depth:3; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Escaped Unicode Char in Location CVE 2012 4792 EIP (Exploit Specific replace)`; flow:established ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit Campaign SetAttribute Java Applet`; flow:established,to client; file data; content ...
#alert http $HOME NET any 209.139.208.0/23 any (msg:`ET CURRENT EVENTS Scalaxy Java Exploit 10/11/12`; flow:to server,established; content:`/m`; http uri; depth ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Metasploit Java Exploit`; flow:established,to client; file data; flowbits:isset,ET.http ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN ProxyBox ProxyBotCommand FORCE AUTHENTICATION `; flow:established,to client; content:`FORCE AUTHENTICATION ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ProxyBox ProxyBotCommand CHECK ME`; flow:established,to server; content:`CHECK ME 0D 0A Port 3a ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Incognito Java Exploit Requested /gotit.php by Java Client`; flow:established,to server ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown Java Exploit Requested 13 14Alpha.jar`; flow:established,to server; urilen:1619 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Generic PDF with NEW PDF EXPLOIT`; flow:established,to client; file data; content:`%PDF`; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Base64 Java Exploit Requested /1Digit`; flow:established,to server; urilen:2; content:` ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Self Signed SSL Certificate (John Doe)`; flow:established,from server; content:` 16 03 `; content:` 0b ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Self Signed SSL Certificate (Reaserch)`; flow:established,from server; content:` 16 03 `; content:` 0b ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Es11 Keepalive to CnC`; flow:established,to server; content:` 89 e7 52 d4 68 64 a7 73 bd 7e ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Java Rhino Exploit Attempt evilcode.class`; flow:established,to client; content:`code ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Dadong Java Exploit Requested`; flow:established,to server; content:`/Gondad.jpg`; nocase; http ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN ZeuS Clickfraud List Delivered To Client`; flow:established,from server; content:` 0d 0a 0d 0a ...
#alert tcp $EXTERNAL NET 443 $HOME NET any (msg:`ET TROJAN Sykipot SSL Certificate serial number detected`; flow:established,to client; content:` 16 `; content ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN W32/Mentory CnC Server Providing File Info Details`; flow:established,to client; content:` DBINFO ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Ehy Keepalive to CnC`; flow:established,to server; content:` 19 07 1b 24 3b 7a 9d e7 77 1e ...
#alert tcp $HOME NET $HTTP PORTS $EXTERNAL NET any (msg:`ET TROJAN Cythosia V2 DDoS WebPanel Hosted Locally`; flow:established,from server; content:` 3C title 3E ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu6 Keepalive to CnC`; flow:established,to server; content:` 29 a7 7b 28 9b c5 b8 b6 10 d7 ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PoisonIvy.Eu5 Keepalive from CnC`; flow:established,from server; content:` 3a 62 26 fd 44 34 01 ed a1 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu5 Keepalive to CnC`; flow:established,to server; content:` 13 cb df 56 6f f3 20 08 c2 f1 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu4 Keepalive to CnC`; flow:established,to server; content:` ea a2 0d a1 b4 a9 a2 18 12 34 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu3 Keepalive to CnC`; flow:established,to server; content:` 77 1b 13 19 a2 d1 8d a1 b5 05 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Eu2 Keepalive to CnC`; flow:established,to server; content:` 1c e9 a1 06 39 95 48 0d 64 1f ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PoisonIvy.Emp Keepalive to CnC`; flow:established,to server; content:` 7a 05 61 17 27 f5 09 f9 05 a2 ...
#alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN Possible German Governmental Backdoor/R2D2.A 2`; flow:from client,established; content:`C3PO r2d2 POE ...
#alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN Possible German Governmental Backdoor/R2D2.A 1`; flow:from client,established; content:` 11 26 80 7c ...
#alert tcp $HOME NET any $EXTERNAL NET 3306 (msg:`ET TROJAN Win32.Parite Checkin SQL Database`; flow:established,to server; content:`SHOW COLUMNS FROM webronaldogyn01 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Crimepack Java exploit attempt(2)`; flow:from server,established; file data; content:`PK`; content ...
#alert tcp $HOME NET 1024: $EXTERNAL NET 1024: (msg:`ET TROJAN Backdoor.Win32.Fynloski.A Command Response`; flow:to server,established; content:`#botCommand%`; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host`; flow:established,to server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Phoenix Java MIDI Exploit Received`; flow:established,to client; flowbits:isset,ET.http.javaclient ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client`; flow:established,to client; flowbits ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE AdSms XML File From CnC Server`; flow:established,from server; content:``; content:``; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE CruseWin XML Configuration File Sent From CnC Server`; flowbits:isset,ET.And.CruseWin; flow ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CVE 2011 2110 Flash Exploit Attempt Embedded in Web Page`; flow:established,to client ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt applet via file URI setAttribute`; flow:established,from server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible CVE 2011 2110 Flash Exploit Attempt`; flow:established,to server; content:`GET /`; ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET MOBILE MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL`; flow:established ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32.Qakbot Seclog FTP Upload`; flow:established,to server; content:`seclog `; content:`.kcb`; within ...
#alert ftp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32.Qakbot .cb File Extention FTP Upload`; flow:established,to server; content:`si `; content:`.cb`; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Eleonore Exploit Pack exemple.com Request`; flow:established,to server; content:`/exemple.com ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt applet via file URI param`; flow:established,from server; content:`applet ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown Exploit Pack Binary Load Request`; flow:established,to server; content:`.php?sex `; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt Request for hostile binary`; flow:established,to server; content:` 20 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Java Exploit Attempt Request for .id from octal host`; flow:established,to server; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution Could be Exploit`; flow:established,from ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Java Exploit io.exe download served`; flow:established,from server; content:` 3b 20 filename ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Phoenix Java Exploit Attempt Request for .class from octal host`; flow:established,to server ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution Could be Exploit`; flow:established ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Night Dragon Server Auth to Bot`; flow:established,from server; dsize:29; content:` 00 00 password ...
#alert tcp $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET TROJAN Night Dragon CMD Shell`; flow:established,to server; content:` 68 57 24 13 00 33 Microsoft`; ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Night Dragon CnC Traffic Inbound 2`; flow:established,from server; dsize:16; content:` 68 57 ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Night Dragon CnC Beacon Inbound`; flow:established,from server; dsize:16; content:` 01 50 00 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Driveby Bredolab client exploited by acrobat`; flow:established,to server; content:`?reader ...
#alert http $HOME NET any $EXTERNAL NET $HTTP PORTS (msg:`ET CURRENT EVENTS Neosploit Exploit Pack Activity Observed`; flow:established,to server; content:`GET ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN JAR Download From Crimepack Exploit Kit`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Knockbot Proxy Response From Controller`; flow:established,from server; content:` 0d 0a 0d 0a command ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Koobface C C availability check successful`; flowbits:isset,ET.koobfacecheck; flow:established ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET TROJAN Koobface BLACKLABEL`; flow:established,from server; content: `#BLACKLABEL 0d 0a EXIT`; reference ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CHAT General MSN Chat Activity`; flow:established; content:`Content Type 3A `; http header; content:`application ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Generic Banker Trojan Downloader Config to client`; flow:established,to client; content:` 0d 0a 0d 0a ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN perlb0t/w0rmb0t Response 2`; flow:established,to server; flowbits:isset,is proto irc; content:` 3A 02 ...
#alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN HackerDefender.HE Root Kit Control Connection Reply`; flow: established,from server; content:` d0 84 ...
#alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HackerDefender.HE Root Kit Control Connection`; flow: established,to server; content:` d0 84 ec 77 cf ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer CnC Activity`; flow:established,to server; content:`POST`; http method; content:`l dj0 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF/Mirai Variant UA Outbound (Ouija x.86)`; flow:established,to server; content:`User Agent 3a 20 Ouija ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M4`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M3`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M2`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Great Cannon DDoS JS M1`; flow:established,to client; content:`200`; http stat code; file data; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE Win32/DealPly Configuration File Inbound`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Amadey CnC Check In`; flow:established,to server; content:`POST`; http method; content:`.php`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Godlua Backdoor Downloading Encrypted Lua`; flow:established,to server; content:`GET`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`xmail ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`xmail auth.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`wu signon.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`webex ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`webex cloud.net`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`vsecuremail.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`vpn ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`sso ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`sso signon.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssofiles.online`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl upgrade.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl secure.online`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl login.online`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ssl account.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secure vpn.online`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`securessl vpn.com`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secure ssl.online`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`securemail ssl.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secure mail.global`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`securemail data.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secureimailonline.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`secmail us.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail online.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail.online`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`seccmail corp.com`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`searscorporategiftcard.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`outlook auth.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`online microsoft update.com`; nocase; isdataat:1 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`mcafee scan.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`mcafeeonlinescanner.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`itunesrewardscode.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`internal message.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`imail ssl.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`imail secure.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`imail auth.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`ifileupload.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`hrsurveyservice.com`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`hrsurveypro.com`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encrypted message.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encryptedmail.online`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encrypted mail.global`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Gift Cardshark CnC Domain in DNS Lookup`; dns query; content:`encrypted mail.center`; nocase; isdataat:1,relative ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT MiCasaVerde VeraLite Remote Code Execution Inbound (CVE 2016 6255)`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT MiCasaVerde VeraLite Remote Code Execution Outbound (CVE 2016 6255)`; flow:established,to server; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Belkin Wemo Enabled Crock Pot Unauthenticated Command Injection Outbound (CVE 2019 12780)`; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Belkin Wemo Enabled Crock Pot Unauthenticated Command Injection Inbound (CVE 2019 12780)`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET EXPLOIT Attempted Remote Command Injection Inbound (CVE 2018 7841)`; flow:established,to server; content ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET EXPLOIT Attempted Remote Command Injection Outbound (CVE 2018 7841)`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET MALWARE LNKR Possible Response for LNKR js file`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE LNKR CnC Activity M3`; flow:established,to server; content:`GET`; http method; content:`/metric/?mid ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE LNKR CnC Activity M1`; flow:established,to server; content:`GET`; http method; content:`/optout/set ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/ProtonBot CnC Response`; flow:established,to client; content:`200`; http stat code; file data; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Jenkins Chained Exploits CVE 2018 1000861 and CVE 2019 1003000 M1`; flow:established,to ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Jenkins RCE CVE 2019 1003000`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS ESET Installer`; flow:established,to server; content:`ESET Installer`; http user agent; depth:14 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Tech Support Scam Landing M1 2019 04 15`; flow:established,from server; content:`200`; http stat ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE 2013 3568)`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HOME NET 9080 (msg:`ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE 2018 17173)`; flow:established,to server; content:`GET`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MICROPSIA Sending JPG Screenshot to CnC with .his Extension`; flow:established,to server; content:`POST ...
alert http any any $HOME NET any (msg:`ET EXPLOIT NUUO OS Command Injection`; flow:to server,established; content:`/handle iscsi.php`; http uri; content:`act discover ...
alert http $HOME NET any any any (msg:`ET TROJAN PT MALWARE Hacked Mikrotik C2 Request`; flow:established, to server; content:`GET`; http method; content:`/mikrotik ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Nagios XI Remote Code Execution 3`; flow:established,to server; content:`/index.php?cmd submitcommand ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Apache CouchDB Remote Code Execution 1`; flow:established,to server; content:`/ users ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Bank of America Phishing Landing`; flow:established,to client; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN eSentire Cobalt Strike Beacon`; flow:established,to server; content:`GET`; http method; content:` 43 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN InfoBot Sending LAN Details`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/DanijBot User Agent`; flow:established,to server; content:`Botnet by Danij`; http user agent; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Arkei Stealer Config Download Request`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Arkei Stealer IP Lookup`; flow:established,to server; content:`POST`; http method; content:`Arkei/` ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Oracle canada)`; tls cert issuer; content:`C canada`; content ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Google)`; tls cert issuer; content:`C US`; content:`ST Florida ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Oracle America)`; tls cert issuer; content:`C US`; content ...
alert tls $EXTERNAL NET 1024: $HOME NET any (msg:`ET TROJAN PTsecurity Fake SSL Certificate Observed (Yahoo)`; tls cert issuer; content:`C US`; content:`ST Arizona ...
alert http $HOME NET any $EXTERNAL NET 1024: (msg:`ET TROJAN Win32/Backdoor.Small.ao CnC Checkin`; flow:established,to server; content:`POST`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Kuriyama Loader Checkin`; flow: established, to server; content:`?hwid `; http uri; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MedusaHTTP CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2`; flow:established,to server; content:`POST`; http method ...
alert dns $HOME NET any any any (msg:`ET INFO DNS Query for Suspicious .gdn Domain`; dns query; content:`.gdn`; nocase; isdataat:1,relative; classtype:bad unknown ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Scarsi Variant CnC Activity`; flow:to server,established; content:`/WP`; http uri; content:`.php ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Suspicious HTML Decimal Obfuscated Title Possible Phishing Landing Apr 19 2017`; flow:from server,established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE 2017 0199)`; flow:established,from server; flowbits:isset ...
#alert http any any $HOME NET any (msg:`ET EXPLOIT Unknown Router Remote DNS Change Attempt`; flow:established,to server; urilen:10; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)`; flow:established,to server; content:`GET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Accept in HTTP POST Possible Alphacrypt/TeslaCrypt`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Evil Redirect Compromised WP Feb 01 2016`; flow:established,from server; file data; content: ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mokes CnC Keep Alive`; flow:established,to server; urilen:3; content:`GET`; http method; content:`/v1 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Trojan Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin`; flow:to server,established; content:`POST ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Evil Redirector from iframe Sep 29 2015`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Evil Redirector Sep 29 2015`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN LokiBot User Agent (Charon/Inferno)`; flow:established,to server; content:`(Charon 3b 20 Inferno)`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Sharik/Smoke CnC Beacon 3`; flow:established,to server; urilen:1; pcre:`/^ \x20 \x7e\r\n {0,20} ^\x20 ...
alert http $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN APT Lurker POST CnC Beacon`; flow:established,to server; content:`POST`; http method; content:`.php` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicious Redirect 8x8 script tag URI struct`; flow:established,to server; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KeyBase Keylogger Uploading Screenshots`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET TROJAN BHQtr Dropper CnC Beacon 2`; flow:established,to server; content:`GET`; http method; content:`/do.asp ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan.Bayrob Keepalive`; flow:established,to server; content:`GET`; http method; urilen:9; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Unknown Mailer CnC Beacon 2`; flow:established,to server; content:`GET`; http method; content:`/action ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector Jan 23 2015`; flow:established,to server; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector IE Requesting Payload Jan 19 2015`; flow:established,to server; content:`GET ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015`; flow:established,from server ...
#alert http $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Upatre IE Redirector Receiving Payload Jan 9 2015`; flow:established,from server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector Jan 9 2015`; flow:established,to server; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Cushion Redirection URI Struct Mon Jan 05 2015`; flow:established,to server; urilen:13; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Andromeda Checkin Dec 29 2014`; flow:established,to server; content:`POST`; nocase; http method; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Upatre Download Redirection Dec 18 2014`; flow:established,from server; file data; content: ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Upatre Redirector Dec 16 2014`; flow:established,from server; file data; content:`PK 03 04 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre Redirector Dec 16 2014 set`; flow:established,to server; content:`GET`; http method; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Wordpress Slideshow Gallery 1.4.6 Shell Upload`; flow:established,to server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ransom.Win32.Blocker.fwlm Checkin`; flow:established,to server; urilen:497; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cryptolocker Checkin`; flow:established,to server; content:`POST`; http method; urilen:11; content:` ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre redirector 29 Sept 2014 POST`; flow:established,to server; content:`POST`; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Upatre redirector GET Sept 29 2014`; flow:established,to server; content:`.php?h `; http uri ...
alert http any any $HTTP SERVERS any (msg:`ET WEB SERVER Possible CVE 2014 6271 Attempt in Client Body`; flow:established,to server; content:` 28 29 20 7b `; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Flashpack Redirect Method 2`; flow:established,to server; content:`POST`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Turla/SPL EK Java Exploit Requested /spl/`; flow:established,to server; content:`/spl/`; http ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Turla/SPL EK Java Exploit`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Turla/SPL EK Java Exploit`; flow:established,from server; flowbits:isset,ET.http.javaclient ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Turla/SPL EK Java Applet`; flow:established,from server; file data; content:`/x java applet ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dyreza RAT Checkin 3`; flow:established,to server; content:`GET`; http method; content:` W`; http uri ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malvertising Redirect URI Struct Jul 16 2014`; flow:established,to server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Trojan Banker.JS.Banker fraudulent redirect boleto payment code`; flow:to server,established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS CottonCastle EK URI Struct`; flow:established,to server; content:`/3/`; http uri; fast pattern ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Malicious Injected Redirect June 02 2014`; flow:established,to client; file data; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malvertising Redirect URI Struct`; flow:established,to server; content:`/assets/js ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS EvilTDS Redirection`; flow:established,to server; content:`/zyso.cgi?`; http uri; fast pattern ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious Spam Redirection Feb 28 2014`; flow:established,from server; file data; content:`Connecting ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Malicious Redirect Evernote Spam Campaign Feb 19 2014`; flow:to server,established; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE W32/InstallMonetizer.Adware Beacon 1`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious Redirect 8x8 script tag`; flow:established,from server; file data; content:`.php?id ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Redirection Injection Modified Edwards Packer Script`; flow:established,to client ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Zollard PHP Exploit UA Outbound`; flow:established,to server; content:`Zollard`; nocase; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Nuclear EK PDF URI Struct`; flow:established,to server; content:`.pdf`; http uri; fast pattern ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Fake MS Security Update EK (Payload Download)`; flow:established,to server; content:`/winddl32 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown EK Landing`; flow:established,from server; file data; content:` Added 2020 11 19 18 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Cushion Redirection`; flow:established,to server; content:`.php?message `; http uri; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Kelihos.F Checkin`; flow:established,to server; content:`GET`; http method; urilen: Added 2020 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS DRIVEBY Redirection phpBB Injection`; flow:established,to server; content:`.js?`; http uri ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS DRIVEBY Redirection Wordpress Injection`; flow:established,to client; file data; content:`15 ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious Redirect June 18 2013`; flow:established,to client; file data; content:`,53,154,170 ...
alert dns $HOME NET any any any (msg:`ET DNS Query to a .pw domain Likely Hostile`; dns query; content:`.pw`; nocase; isdataat:1,relative; content:!`.u.pw`; ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android/Ksapp.A Checkin`; flow:to server,established; content:`/kspp/do?imei `; fast pattern ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Metasploit CVE 2012 4792 EIP in URI IE 8`; flow:established,to server; content:`/ACE08C`; http raw ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS MALVERTISING FlashPost Redirection IFRAME`; flow:established,to client; file data; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Malicious Redirect n.php h s `; flow:to server,established; content:`/n.php?h `; fast pattern ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Obfuscated Javascript redirecting to badness August 6 2012`; flow:established,from server; content ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Fake AV Conditional Redirect (Blackmuscats)`; flow:established,to server; content:`/blackmuscats ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Obfuscated Javascript redirecting to badness 21 June 2012`; flow:established,from server; file ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS PHP Volunteer Management id parameter Cross Site Scripting Attempt`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Usteal.B Checkin`; flow:to server,established; content:`/ufr.php`; http uri; fast pattern; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious User Agent Post`; flow:established,to server; content:`User Agent 3A 20 Post 0d 0a `; http ...
#alert tcp $EXTERNAL NET $HTTP PORTS $HOME NET any (msg:`ET CURRENT EVENTS Clickpayz redirection to .clickpayz.com`; flow:established,from server; content:`HTTP ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Adware Win32/EoRezo Reporting`; flow:established,to server; content:`/advert/get`; nocase; http uri ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Weevely PHP backdoor detected (passthru() function used) M1`; flow:to server,established; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32.Glupteba/ClIEcker CnC Checkin`; flow:established,to server; content:` downlink `; http uri; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Malicious PHP 302 redirect response with avtor URI and cookie`; flow:established,from server ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Unknown .ru Exploit Redirect Page`; flow:established,to server; content:`people/?`; http uri ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?`; flow:established,to server; content:`/in ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect`; flow:established,to client; file data; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Vulnerable Java Version 1.4.x Detected`; flow:established,to server; content:`Java/1.4.`; http user agent ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET ATTACK RESPONSE Matahari client`; flow:to server,established; content:`Accept 2d Encoding 3a 20 identity 0d ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CHAT Facebook Chat (settings)`; flow:established,to server; content:`POST`; http method; content:`/ajax/chat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Netviewer.com Remote Control Proxy Test`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Minerva mod SQL Injection Attempt forum.php c ASCII`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE MySearch Products Spyware User Agent (MySearch)`; flow:established,to server; content:` MySearch`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Inbound JS with Possible 1px 1px Exfiltration Image`; flow:established,from server; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Injected JS Form Stealer Checking Page Contents M2`; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Injected JS Form Stealer Checking Page Contents M1`; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible FFSniff Inject Observed`; flow:established,from server; content:`200`; http stat code ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability (CVE 2019 0752)`; flow:established,from server; ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET WEB SERVER BlackSquid JSP Webshell Outbound`; flow:established,from server; content:`200`; http stat code ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Unknown VBScript Loader with Encoded PowerShell Execution Inbound`; flow:established,from server ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET WEB SERVER China Chopper WebShell Observed Outbound`; flow:established,from server; content:`200`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET POLICY Inbound PowerShell Capable of Enumerating Internal Network via WMI`; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS CSharp SMB Scanner Assembly in PowerShell Inbound M2`; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS CSharp SMB Scanner Assembly in PowerShell Inbound M1`; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Wide HTA with PowerShell Execution Inbound`; flow:established,from server; content:`200`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE OSX ADWARE/AD Injector`; flow:established,to server; content:`GET`; http method; content:`Python urllib ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Mozilla Firefox Cookies) M2`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (google chrome default ) M2`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2`; flow:established,to server; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M2`; flow:established,to server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/LamePyre Screenshot Upload`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Inbound PowerShell Executing Base64 Decoded VBE from Temp 2018 11 29`; flow:established,from ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/KeyRedirEx Banker Receiving Redirect/Inject List`; flow:established,from server; content:`200`; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET INFO Possibly Malicious VBS Writing to Persistence Registry Location`; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PTsecurity Win32/Ramnit Stage 0 Communicating with CnC`; flow:established,to client; content:`200` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Fake 404 With Hidden Login Form`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/AutoIt.NU Miner Dropper CnC Checkin`; flow:established,to server; content:`POST`; http method; ...
alert dns $HOME NET any any any (msg:`ET TROJAN JS Skimmer Domain in DNS Lookup`; dns query; content:`tivents.de`; nocase; depth:10; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET TROJAN JS Skimmer Domain in DNS Lookup`; dns query; content:`clipbutton.com.br`; nocase; depth:17; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2020 01 10`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 08 29`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 04 26`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2019 04 12`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Phish 2018 01 26`; flow:established,to server; flowbits:isset,ET.genericphish ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Facebook Mobile Phish 2017 08 15`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Vulnerable Java Version 11.0.x Detected`; flow:established,to server; content:`Java/11.0.`; http user ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain Observed in DNS Query`; dns query; content:`cdnapis.com`; nocase; isdataat:1,relative; depth ...
alert http any any $HOME NET any (msg:`ET EXPLOIT Tomcat File Upload Payload Request (CVE 2017 12615)`; flow:to server,established; content:`GET`; http method; ...
alert http $HOME NET any 92.63.0.0/16,91.218.114.0/24,149.56.245.196 any (msg:`ET TROJAN Maze/ID Ransomware Activity`; flow:established,to server; urilen: 1; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish to .icu Domain 2019 02 06`; flow:established,to server; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish to .gqn Domain 2018 10 23`; flow:established,to server; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish to .gq Domain 2018 10 23`; flow:established,to server; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish to .ga Domain 2018 10 23`; flow:established,to server; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish to .cf Domain 2018 10 23`; flow:established,to server; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish to .ml Domain 2018 10 23`; flow:established,to server; flowbits ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Bisonal CnC Checkin`; flow:established,to server; content:`.txt`; http uri; content:`User Agent ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Bank of America Phishing Landing Aug 19 2015`; flow:to client,established; content:!`X BOA RequestID ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Paypal Phishing Landing Jun 28 2017`; flow:from server,established; content:`200`; http stat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful Generic Phish 2018 06 27 (set)`; flow:established,to server; flowbits:set,ET.genericphish ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Wells Fargo Phishing Landing Title over non SSL`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS LinkedIn Phishing Landing 2018 02 09 M2`; flow:established,to client; content:!`X LI UUID 3a ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Wells Fargo Phishing Landing 2018 02 02 M4`; flow:established,to client; content:!`.wellsfargo ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Paypal Phishing Landing 2018 01 18 M1`; flow:established,to client; content:!`https:// .paypal ...
alert dns $HOME NET any any any (msg:`ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin`; dns query; content:`.grp`; within:12; content:`ping.adm.`; distance ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Facebook Phishing Landing Title over non SSL`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Paypal Phishing Landing Title over non SSL`; flow:established,to client; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Facebook Phishing Landing Title over non SSL`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible CIBC Phishing Landing Title over non SSL`; flow:established,to client; content:!`Server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Apple Phishing Landing Title over non SSL`; flow:established,to client; content:! ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Facebook Phishing Landing Title over non SSL`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Dropbox Phishing Landing Title over non SSL`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Facebook Phishing Landing Title over non SSL`; flow:established,to client; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Paypal Phishing Landing Title over non SSL`; flow:established,to client; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible iCloud Phishing Landing Title over non SSL`; flow:established,to client; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outdated Flash Version M2`; flow:established,to server; content:`X Requested With 3a 20 ShockwaveFlash ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Paypal Phishing Landing Feb 24 2017`; flow:from server,established; content:`! .paypal.com`; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Known Sinkhole Response Header CERT.PL`; flow:established,from server; content:`Content Length 3a 24 ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Emotet.C Variant Checkin`; flow:to server,established; content:`POST`; http method; content:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OHT AnunakAPT HTTP Checkin 1`; flow:established,to server; content:`GET`; http method; urilen: 100 ...
alert http $HOME NET any $EXTERNAL NET 8080 (msg:`ET TROJAN Win32/Cridex Checkin`; flow:to server,established; content:`POST`; http method; pcre:`/^\/( a z0 9 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Drive DDoS Check in`; flow:established,to server; content:`k `; fast pattern; http client body ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN VBS/Wimmie.A Set`; flow:to server,established; content:`POST`; nocase; http method; content:`/count.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Generic Downloader HTTP POST`; flow:established,to server; content:`POST`; nocase; http method; content ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for FurNIC TLD (.fur)`; dns query; content:`.fur`; nocase; isdataat:1,relative; reference:url,wiki ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for EmerDNS TLD (.bazar)`; dns query; content:`.bazar`; nocase; isdataat:1,relative; reference ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for EmerDNS TLD (.emc)`; dns query; content:`.emc`; nocase; isdataat:1,relative; reference:url ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for EmerDNS TLD (.coin)`; dns query; content:`.coin`; nocase; isdataat:1,relative; reference:url ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.gopher)`; dns query; content:`.gopher`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.indy)`; dns query; content:`.indy`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.epic)`; dns query; content:`.epic`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.oss)`; dns query; content:`.oss`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)`; dns query; content:`.pirate`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.null)`; dns query; content:`.null`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.bbs)`; dns query; content:`.bbs`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)`; dns query; content:`.libre`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.parody)`; dns query; content:`.parody`; nocase; isdataat:1,relative ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (FIN7/JSSLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Redkeeper Ransomware Domain`; dns query; content:`iuqerfsodp9ifjaposdfjhgosurijfaewrwergwex ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN AAIB Variant CnC`; flow:established,to server; content:`GET`; http method; content:`.jpg`; isdataat:1 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible DACLS RAT CnC (Log Server Reporting)`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN KPOT Stealer Initial CnC Activity M4`; flow:established,to server; content:`GET`; http method; content ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.microransom.us`; nocase; isdataat ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.comano.us`; nocase; isdataat ...
#alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.authentication.directory`; nocase ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.strongencryption.org`; nocase ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.phishing.guru`; nocase; isdataat ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.phish.farm`; nocase; isdataat ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.phishtrain.org`; nocase; isdataat ...
alert dns $HOME NET any any any (msg:`ET CURRENT EVENTS Observed DNS Query to Knowb4 Simulated Phish Domain`; dns query; content:`.password.land`; nocase; isdataat ...
alert dns $HOME NET any any any (msg:`ET POLICY Observed DNS Query to .burpcollector .net Domain`; dns query; content:`.burpcollector.net`; nocase; isdataat:1,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/Adware.Adposhel.A Checkin M6`; flow:established,to server; content:`GET`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET USER AGENTS AnyDesk Remote Desktop Software User Agent`; flow:established,to server; content:`AnyDesk`; http ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS PTsecurity Possible Malicious (HTA VBS PowerShell) obfuscated command`; flow: established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Trojan.JS.Agent.dwz Checkin 2`; flow:established,to server;content:`POST`; http method;content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/GandCrab Ransomware CnC Activity M2`; flow:established,to server; content:`POST`; http method; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Zbot downloader Installing Zeus`; flow:to server,established; content:`.exe`; http uri; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Java .jar request to dotted quad domain`; flow:established,to server; content:`.jar`; http uri; fast pattern ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)`; flow:established,to server; content:`POST`; http ...
alert tcp $HOME NET any $EXTERNAL NET 443 (msg:`ET TROJAN Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com`; dsize:186; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS GOV UK Possible COVID 19 Phish 2020 04 06`; flow:established,to server; content:`POST`; http ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ELF Linux/Dnsamp.AB Variant CnC`; flow:established,to server; dsize:84; content:` 54 `; depth:1; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN THCCABO CoinMiner CnC Checkin`; flow:established,to server; content:`GET`; http method; content:` 7c ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FTCode Stealer Init Activity`; flow:established,to server; content:`POST`; http method; content:`guid ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (aw)`; flow:established,from server; dsize: Added 2020 11 12 18:23:19 ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MSIL/Modi RAT CnC Command Inbound (info)`; flow:established,from server; dsize: Added 2020 11 12 18:23 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PTsecurity MZRevenge Ransomware Server Response`; flow: established,to client; http content type; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Possible CVE 2020 8518 (Horde Groupware RCE)`; flow:established,to server; content:`POST` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE 2020 0618)`; flow:established,to server; urilen:37; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Response (Screenshot)`; flow:established,to client; file data; content:`62c92ba585f74ecdbef4c4498a438984 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Response (Download)`; flow:established,to client; file data; content:`51a7a76a7dd5d9e4651fe3d4c74d16d6 ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN MoleRAT/Pierogi CnC Response (Command)`; flow:established,to client; file data; content:`dfff0a7fa1a55c8c1a4966c19f6da452 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Satan Cryptor GeoIP Lookup`; flow:established,to server; content:`GET /json/ HTTP/1.1 0d 0a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 Request (Stackoverflow Profile)`; flow:established,to server; content:`GET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT29 Implant8 MAL REFERER`; flow:established,to server; content:`GET`; http method; content:` bvm ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Dridex Download URI Struct with no referer`; flow:established,to server; content:`GET`; http ...
#alert tcp any any any 502 (msg:`ET SCAN Modbus Scanning detected`; content:` 00 00 00 00 00 02 `; flow:established,to server; depth:6; threshold: type both, track ...
TWiki Site Statistics Monthly Site Statistics Data Month WebsTotal WebsViewed Websupdated TopicsTotal TopicsViewed TopicsUpdated Attach ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Stitch C2 Domain`; dns query; content:`sys andriod20 designer.dynamic dns.net`; nocase; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Stitch C2 Domain`; content:`system0 update04driver roots.dynamic dns.net`; nocase; depth:44 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious POST Request with Possible COVID 19 URI M2`; content:`POST`; http method; content:`corona`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious POST Request with Possible COVID 19 URI M1`; content:`POST`; http method; content:`covid`; nocase ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious GET Request with Possible COVID 19 URI M2`; content:`GET`; http method; content:`corona`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious GET Request with Possible COVID 19 URI M1`; content:`GET`; http method; content:`covid`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN DADJOKE/Rail Tycoon Payload Extraction`; flow:to server,established; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/CryptInject.BEMTB Stealer CnC Checkin`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any any any (msg:`ET TROJAN Suspected Tunna Proxy M2 (Outbound)`; flow:established,to server; content:`POST`; http method; content:`?proxy ...
alert http any any $HOME NET any (msg:`ET TROJAN Suspected Tunna Proxy M2`; flow:established,to server; content:`POST`; http method; content:`?proxy file upload ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Eris Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound)`; flow:to server,established; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Check Response`; flow:from server,established; content ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Plurox Backdoor CnC Checkin`; flow:established,to server; content:` aa 95 82 71 `; depth:4; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible ZyXEL P660HN T v1 RCE`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection`; flow:established,to server; content:`GET`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Retadup Success Response from CnC`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Wget Request for Executable`; flow:established,to server; content:`GET`; http method; content:`.exe`; http ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Telerik UI CVE 2019 18935 File Upload Attempt M2`; content:`GET`; http method; content:`/Telerik ...
alert http $EXTERNAL NET any any any (msg:`ET EXPLOIT Possible Telerik UI CVE 2019 18935 File Upload Attempt M1`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful COVID 19 Related Phish M2`; flowbits:isset,ET.genericphish; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful COVID 19 Related Phish M1`; flowbits:isset,ET.genericphish; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Uploaded to ge.tt Filesharing Service`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY File Downloaded via ge.tt Filesharing Service`; content:`GET`; http method; content:`/gett/`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Adobe RTMP)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (OneDrive)`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cobalt Strike Malleable C2 (Meterpreter)`; flow:established,to server; urilen:175; content:`/ucD`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/n2019cov (COVID 19) Ransomware CnC Checkin`; flow:established,to server; content:`POST`; http method ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE 2019 19781) M2`; flow ...
alert smb any any $HOME NET any (msg:`ET POLICY Possible winexe over SMB Possible Lateral Movement`; flow:to server,established; content:` ff SMB`; offset:4; ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN JavaRAT Requesting Screen Size`; flow:established,to client; dsize:13; content:`SC.OP packet `; depth ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN JavaRAT Keep Alive (outbound)`; flow:established,to server; dsize:11; content:`PNG packet `; depth:11 ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN JavaRAT Keep Alive (inbound)`; flow:established,to client; dsize:11; content:`PNG packet `; depth:11; ...
alert tcp $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN JavaRAT CnC Init Activity`; flow:established,to client; dsize:11; content:`AUT packet `; depth:11; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO GET to Puu.sh for TXT File with Minimal Headers`; flow:to server,established; content:`GET`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS eSentire Successful 163 Webmail Phish 2018 07 25`; flow:from server,established; flowbits:isset ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN eSentire VBS Retrieving Malicious Payload`; flow:established,to server; content:`HEAD`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M3`; flow:established,from server; flowbits:isset ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linkup Ransomware check in`; flow:established,to server; content:`POST`; http method; content:`/uplink ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id6589.com`; nocase; isdataat:1,relative; classtype ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a5.tk`; nocase; isdataat:1,relative; classtype ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`yahoo change password.com`; nocase; isdataat:1 ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id451295.com`; nocase; isdataat:1,relative; classtype ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`id24556.tk`; nocase; isdataat:1,relative; classtype ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`change password.ml`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0x4fc271.tk`; nocase; isdataat:1,relative; classtype ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`0xf4a54cf56.tk`; nocase; isdataat:1,relative; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Possible APT28 Phishing Domain in DNS Query`; dns query; content:`546874.tk`; nocase; isdataat:1,relative; classtype ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful DHL Phish 2019 10 18`; flow:established,to server; content:`POST`; http method; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful DHL Phish (Meta HTTP Equiv Refresh) 2017 02 08`; flow:from server,established; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Microsoft Office Phishing Landing 2016 12 18`; flow:to client,established; content:`200`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful DHL Account Phish 2015 11 03`; flow:to server,established; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Successful Generic Phish Aug 31 2015`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MZRevenge Ransomware CnC`; flow:established,to server; content:`POST`; http method; content:`.php`; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Unk.Joia CnC Activity`; flow:established,to server; content:`.php 20 HTTP/1.0 0d 0a Host 3a 20 ...
alert dns $HOME NET any any any (msg:`ET POLICY DNS Query to DynDNS .dyn ip24 .de Domain`; dns query; content:`.dyn ip24.de`; nocase; isdataat:1,relative; classtype ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`wind.windmilldrops.com`; nocase; depth:22; ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`bur.vueleslie.com`; nocase; depth:17; isdataat ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`bmy.hqoohoa.com`; nocase; depth:15; isdataat ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`jocoly.esvnpe.com`; nocase; depth:17; isdataat ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`compdate.my03.com`; nocase; depth:17; isdataat ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed DNS Query to Vicious Panda CnC Domain`; dns query; content:`feb.kkooppt.com`; nocase; depth:15; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Mirai Variant User Agent (Outbound)`; flow:established,to server; content:`User Agent 3a 20 APEP`; http ...
alert http $EXTERNAL NET any any any (msg:`ET SCAN Mirai Variant User Agent (Inbound)`; flow:established,to server; content:`User Agent 3a 20 APEP`; http header ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Spelevo VBS Payload Downloaded`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HAWKBALL CnC Activity`; flow:established,to server; content:`GET`; http method; content:`/?e `; depth ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN HAWKBALL CnC Initial Request`; flow:established,to server; content:`GET`; http method; content:`/?t ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Patchwork.Backdoor CnC Check in M2`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN W32/Patchwork.Backdoor Communicating with CnC`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Successful EDU Phish 2017 12 04`; flow:established,to client; flowbits:isset,ET.eduphish; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN ConstructorWin32/Agent.V`; flow:to server,established; content:` 0d 0a Pragma 3a 20 no catch 0d 0a ` ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Potential Wordpress local file disclosure vulnerability`; flow:established,to server; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Potential Wordpress local file disclosure vulnerability`; flow:established,to server; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Joomla Component com banners banners.class.php Remote File inclusion Attempt`; flow:to ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS SiteloomCMS mailform 1 variable Cross Site Scripting Attempt`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS PHP Fusion mguser fotoalbum album id Parameter DELETE FROM SQL Injection Attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER SHOW CHARACTER SET SQL Injection Attempt in URI`; flow:established,to server; content:`SHOW` ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER LANDesk Command Injection Attempt`; flow:established,to server; content:`POST`; http method; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS WordPress wp admin/admin.php Module Configuration Security Bypass Attempt`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt`; flow ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Achievo userid Variable DELETE FROM SQL Injection Attempt`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible Achievo userid Variable INSERT INTO SQL Injection Attempt`; flow:established ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 109`; flow:established,to server; content:` 5b bc 1f 13 45 60 61 fd 0d 43 7f ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 84`; flow:established,to server; content:` d5 c2 f9 4e 0a 7b 1c 62 a1 49 05 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 68`; flow:established,to server; content:` 62 8d 57 43 81 41 32 36 55 5e 26 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 67`; flow:established,to server; content:` 0b 7e 42 80 62 68 98 84 a8 66 28 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 66`; flow:established,to server; content:` 12 37 57 b2 1e 20 12 3d f1 8a 24 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 65`; flow:established,to server; content:` ba e7 11 d6 b7 9f b5 c9 1d 10 58 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 64`; flow:established,to server; content:` d7 9e f0 38 3f f1 9a ab d6 74 00 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 63`; flow:established,to server; content:` d1 ef 79 30 f1 d3 16 52 6d e9 f3 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 62`; flow:established,to server; content:` 46 4f 3e 16 69 12 4c e2 9a c2 28 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 61`; flow:established,to server; content:` f3 85 1c e5 6c 10 d9 78 fa 64 de ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 60`; flow:established,to server; content:` 30 d0 52 71 74 3c 46 41 ac f3 4e ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 59`; flow:established,to server; content:` ed d1 72 f7 67 72 6f 57 ec 23 3c ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 58`; flow:established,to server; content:` 05 3b 09 6a f6 9e f9 65 e5 38 b3 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 57`; flow:established,to server; content:` 56 1e 2c fa 6e cc e4 74 40 48 df ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 56`; flow:established,to server; content:` 7d b5 14 83 61 23 20 d9 44 8a a7 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 55`; flow:established,to server; content:` 2f 81 e4 ab 65 ab 1c 0d b9 8c e8 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 54`; flow:established,to server; content:` bc f5 5e 86 40 fa 48 95 a8 9e 28 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 30`; flow:established,to server; content:` 81 29 6b 48 7f c7 22 ec 9b 9e b6 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 29`; flow:established,to server; content:` 5e 0d 10 db 92 bf 73 6c 7d 6f 5d ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 28`; flow:established,to server; content:` ea 7f 70 7a 80 7c 4a a9 1b 68 8e ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 27`; flow:established,to server; content:` bf 9b b2 d8 b7 a9 86 78 26 d6 10 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Remcos RAT Checkin 26`; flow:established,to server; content:` 24 8a 91 18 92 bb 4b 55 39 bc ed ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN eSentire Remcos RAT Checkin 25`; flow:established,to server; content:` 38 b6 1d 2b 3b 5c 11 b4 d8 75 ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN eSentire Remcos RAT Checkin 24`; flow:established,to server; content:` e8 ee 51 c7 05 29 cd 17 31 7b ...
alert tcp $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Remcos RAT Checkin 23`; flow:established,to server; content:` 1b 84 d5 b0 5d f4 c4 93 c5 30 c2 `; depth ...
#alert tcp $HOME NET any $EXTERNAL NET !$HTTP PORTS (msg:`ET TROJAN PTsecurity Backdoor.Win32/Remcos RAT pkt checker 4`; flow:established, to server; dsize:8193 ...
alert tcp $HOME NET any $EXTERNAL NET 5938,1935,3265,2394 (msg:`ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106`; flow:to server,established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability`; flow:established ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt`; flow ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET SCAN Apache mod proxy Reverse Proxy Exposure 2`; flow:established,to server; content:` 3a @`; http uri; ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt 1`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET SCAN libwww perl GET to // with specific HTTP header ordering without libwww perl User Agent`; flow:established ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Possible FakeAV Binary Download (Security)`; flow:established,to client; content:`filename 22 `; nocase ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SPECIFIC APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt`; flow:established,to server ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS eyeOS file Parameter Local File Inclusion Attempt`; flow:established,to server; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Generic 8Char.JAR Naming Algorithm`; flow:established,to client; content:` Disposition 3a 20 inline ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Cridex Post to CnC`; flow:established,to server; content:`POST`; http method; content:` 0d 0a 0d 0a de ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS TDS Sutra cookie is set RULEZ`; flow:established,to server; content:`sutraRULEZcookiessupport ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS TDS Sutra cookie set RULEZ`; flow:established,from server; content:`sutraRULEZcookiessupport ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (ServHelper CnC)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed JS/Skimmer (likely Magecart) CnC Domain in DNS Lookup`; dns query; content:`imprintcenter.com`; nocase ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MonetizUs/LNKR)`; flow:from server,established; tls cert subject; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query`; dns query; content:`cybermon.fortigatecloud.com`; nocase; depth ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup`; dns query; content:`.byteson.space`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magniber Ransomware CnC Domain in DNS Lookup`; dns query; content:`.boyput.site`; nocase; isdataat:1,relative; reference ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible CVE 2013 2618 Attempt (PHP Weathermap Persistent XSS)`; flow:established,to server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN PTsecurity Win32/SocStealer.Socelars C2 Response`; flow:established,to client; content:`200`; http ...
alert http any any $HOME NET 5984 (msg:`ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE 2017 12635)`; flow:established,to server,only stream; content ...
alert http any any $HOME NET 5984 (msg:`ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE 2017 12636)`; flow: established,to server,only stream; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan Dropper.Delf Checkin`; flow:established,to server; content:`/autoupdate/versaoatual.txt`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY IP Check (rl. ammyy. com)`; flow:to server,established; urilen:1; content:`rl.ammyy.com`; http host; ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Powershell commands sent when remote host claims to send an image `; flow:established,from server; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Google Chrome XSS (CVE 2017 5124)`; flow:from server,established; content:`Content Type 3a 20 multipart ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trickbot Payload Request`; flow:to server,established; content:`GET`; http method; pcre:`/^\/(?:kas ser ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Trojan Banker.AndroidOS.RedAlert CnC Beacon`; flow:to server,established; content:`POST`; http ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Lucifer Loader Requesting Payload`; flow:established,to server; urilen:15; content:`/demonsgate.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/LoadMoney Adware Activity`; flow:to server,established; content:`POST`; http method; content: ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Locky VB/JS Loader Download Sep 08 2017`; flow:established,from server; file data; content ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Hancitor/Tordal Document Inbound`; flow:established,from server; content:`200`; http stat code ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Hancitor/Tordal Document Request`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Maldoc Downloader Aug 18 2017`; flow:established,to server; content:`/s.php?id `; http uri; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Nemucod JS Downloader Aug 01 2017`; flow:established,to server; pcre:`/\/ A Za z0 9 {5,9}\? ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Bitshifter Ransomware CnC Checkin`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Quant Loader Download Request`; flow:to server,established; content:`GET`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS SUSPICIOUS Possible CVE 2017 0199 IE7/NoCookie/Referer HTA dl`; flow:to server,established; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET ATTACK RESPONSE Possible BeEF HTTP Headers Inbound`; flow:established,from server; content:`Content Type 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Jun 13 2017`; flow:established,to server; urilen: 90; content:`/?`; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Nemucod JS Downloader June 12 2017`; flow:established,to server; pcre:`/\/ A Za z0 9 {5,7}\? ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Bingo EK Payload Download`; flow:established,to server; urilen:116; content:`/?`; depth:2; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Jaff Ransomware Checkin M1`; flow:to server,established; urilen:4; http header names; content:` 0d 0a ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/OzazaLocker Ransomware CnC Checkin`; flow:established,to server; content:`GET`; http method; content ...
#alert http $HOME NET any $EXTERNAL NET 443,7080,8080 (msg:`ET TROJAN W32/Emotet CnC Beacon 2`; flow:established,to server; urilen:1; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET 443,7080,8080 (msg:`ET TROJAN W32/Emotet CnC Beacon 1`; flow:established,to server; urilen:1; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET 7080,8080,443 (msg:`ET TROJAN W32.Geodo/Emotet Checkin`; flow:established,to server; content:`GET`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MSIL/Runsome Ransomware CnC Checkin`; flow:established,to server; content:`.php?name `; http uri; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Turla Carbon Paper CnC Beacon (Fake User Agent)`; flow:established,to server; content:`GET` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Red Leaves HTTP CnC Beacon (APT10 implant)`; flow:established,to server; content:`POST`; http method ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Android Trojan Pegasus CnC Beacon`; flow:to server,established; content:`POST`; http method ...
alert http any any $HOME NET any (msg:`ET EXPLOIT NETGEAR WNR2000v5 hidden lang avi Stack Overflow (CVE 2016 10174)`; flow:to server,established; content:`/lang ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Known Malicious Doc Downloading Payload Dec 06 2016`; flow:to server,established; urilen: Added 2020 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Quant Loader Download Request`; flow:to server,established; content:`GET`; http method; content:`/index ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Suspicious Proxifier DL (non browser observed in maldoc campaigns)`; flow:established,to server ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt`; flow:established,to server; urilen:6; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Pottieq.A Check in`; flow:established,to server; content:`POST`; http method; content:`pc `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)`; flow:established,to ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FOX SRT ShimRat check in (Yuok)`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FOX SRT ShimRat check in (Data)`; flow:established,to server; content:`POST`; http method; content:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non standard filename (some overlap with 2021752 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Win32/Adware.Adposhel.A Checkin 4`; flow:established,to server; content:`a `; depth:2; http client body ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB CLIENT Fake AV Phone Scam Landing Apr 4`; flow:to client,established; content:`200`; http stat code; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN IrcBot Downloading .old`; flow:established,to server; http start; content:`.old 20 HTTP/1.1 0d 0a Host ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET EXPLOIT FireEye Detection Evasion attempt Inbound`; flow:to server,established; content:`%`; http raw uri ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Keitaro TDS Redirect`; flow:established,from server; content:`302`; http stat code; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Linux/Torte Downloading Binary`; flow:established,to server; urilen:8; content:`/crond`; http uri; fast ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET WEB SERVER WeBaCoo Web Backdoor Detected`; flow:to server,established; content:`GET`; http method; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Nivdort Posting Data 2`; flow:established,to server; content:`POST`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Possible MSXMLHTTP Request (no .exe)`; flow:to server,established; content:!`.exe`; nocase; http uri; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN MWI Maldoc Stats Callout Oct 28`; flow:established,to server; content:`/pict.`; http uri; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PSEmpire Checkin via POST`; flow:to server,established; urilen:14; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible APT30 or Win32/Nuclear HTTP Framework POST`; flow:established,to server; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32.Chroject.B Retrieving encoded payload`; flow:to server,established; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET 80 (msg:`ET TROJAN Common Upatre URI/Headers Struct`; flow:established,to server; urilen: Added 2020 11 05 18:35:56 UTC ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Onion2Web Tor Proxy Cookie`; flow:established,to server; content:`onion2web confirmed `; http cookie ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex POST CnC Beacon 2`; flow:established,to server; urilen:1; content:`POST`; http method; pcre:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET WEB SERVER FOX SRT Backdoor CryptoPHP Shell C2 POST`; flow:established,to server; content:`POST`; http method ...
#alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Cohhoc RAT CnC Response`; flow:established,from server; content:`Content Length 3a 20 64 0d 0a `; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Ursnif Checkin`; flow:established,to server; content:`POST`; http method; content:` 0d 0a Content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Stobox Connectivity Check`; flow:established,to server; content:`/windowsupdate/v6/thanks.aspx?ln en ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Snake rootkit usermode centric client request`; flow:to server,established; content:`/1/6b 558694705129b01c0 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Banking Trojan HTTP Cookie`; flow:established,to server; content:`tcpopunder`; http cookie; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MALWARE Potentially Unwanted Application AirInstaller`; flow:to server,established; urilen: 31; content:`GET ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Zbot Generic URI/Header Struct .bin`; flow:established,to server; content:`GET`; http method ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object`; flow:established,to ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object`; flow:established,to server ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN SmokeLoader Checkin`; flow:established,to server; content:`POST`; http method; content:`.php`; http uri ...
#alert http $HOME NET any $EXTERNAL NET any (msg:`ET EXPLOIT Potential Internet Explorer Use After Free CVE 2013 3163 Exploit URI Struct 1`; flow:established,to ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS MoinMoin twikidraw Action Traversal File Upload`; flow:to server,established; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Alina Server Response Code`; flow: established,from server; http response line; content:` 666 OK`; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Variant.Kazy.174106 Checkin`; flow:established,to server; content:`GET`; http method; content:`.php?T ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS FlimKit Post Exploit Payload Download`; flow:to server,established; urilen:17; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS GrandSoft PDF Payload Download`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/Redyms.A Checkin`; flow:to server,established; content:`POST`; http method; content:`.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT NGO wuaclt`; flow:to server,established; content:`/pics/`; http uri; content:`.asp?id `; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Win32/COOKIEBAG Cookie APT1 Related`; flow:established,to server; http start; content:` 0a Cookie 3a ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible CVE 2013 0156 Ruby On Rails XML POST to Disallowed Type SYMBOL`; flow:established,to server; content ...
alert http any any $HTTP SERVERS any (msg:`ET EXPLOIT Possible CVE 2013 0156 Ruby On Rails XML POST to Disallowed Type YAML`; flow:established,to server; content ...
alert http any any $HTTP SERVERS any (msg:`ET WEB SERVER Magento XMLRPC Exploit Attempt`; flow:established,to server; content:`POST`; nocase; http method; content ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS joomla com edir controller parameter Local File Inclusion vulnerability`; flow:established ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart)`; flow:from server,established; tls cert subject; content:`CN reportgns ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart)`; flow:from server,established; tls cert subject; content:`CN sucuritester ...
alert http $EXTERNAL NET any any any (msg:`ET INFO Generic IOT Downloader Malware in POST (Inbound)`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Generic IOT Downloader Malware in POST (Outbound)`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Router EK Landing Page Inbound 2019 05 24`; flow:established,from server; content:`200 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Baldr Stealer Checkin M2`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Spelevo EK Post Compromise Data Dump`; flow:to server,established; content:`POST`; http method ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET POLICY Observed External IP Lookup SSL Cert`; flow:from server,established; tls cert subject; content:`.iplocation ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Locky CnC Checkin`; flow:to server,established; urilen:14; content:`POST`; http method; content:`/imageload ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN YordanyanActiveAgent CnC Reporting`; flow:established,to server; content:`GET`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity Tinba (Banking Trojan) Check in`; flow:established,to server; content:`Mozilla/5.0 (compatible ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS GitList Argument Injection`; flow:established,to server; content:`query open files in ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS WordPress Plugin Pie Register SQL Injection`; flow:established,to server; content:`/wp ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Suspicious Wordpress Redirect Possible Phishing Landing Jan 7 2016`; flow:to client,established ...
alert http any any $HTTP SERVERS any (msg:`ET WEB SPECIFIC APPS DNN DNNPersonalization Cookie RCE Attempt (CVE 2017 9822)`; flow:established,to server; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC`; flow:established,to server; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE C2P.Qdc Ransomware CnC Beacon`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Mar 13 2017 M2`; flow:established,to server; urilen: 90; content:`QMvXcJ`; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Mar 13 2017`; flow:established,to server; urilen: 90; content:`oq `; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Spora Ransomware Checkin`; flow:to server,established; content:`POST`; http method; content:` XDATABASE64ENCRYPTED ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FETCH CnC Beacon`; flow:established,to server; content:`GET`; http method; content:`.aspx?n `; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN APT28 Uploader Variant CnC Beacon`; flow:established,to server; content:`POST`; http method; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WSF/JS Downloader Jan 30 2017 M1`; flow:to server,established; urilen: 65; content:`/counter/?`; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Pony Payload DL`; flow:established,to server; content:`/inst.exe`; http uri; fast pattern; isdataat ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO IE7UA No Cookie No Referer`; flow:to server,established; content:`User Agent 3a 20 Mozilla/4.0 (compatible ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Trojan.Kwampirs Outbound GET request`; flow:to server,established; urilen: 21; content:`GET`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Locky CnC Checkin Dec 5 M1`; flow:to server,established; urilen:12; content:`POST`; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Magecart CnC Domain in DNS Lookup`; dns query; content:`webscriptly.com`; nocase; depth:15; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query`; dns query; content:`home.mwbsys.org`; nocase; isdataat:1,relative ...
alert dns $HOME NET any any any (msg:`ET TROJAN BlackTech ELF/TSCookie CnC Observed in DNS Query`; dns query; content:`app.dynamicrosoft.com`; nocase; isdataat ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (SmokeLoader CnC)`; flow:from server,established; tls cert subject; content ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Win32/Onliner Receiving Commands from CnC`; flow:established,from server; content:`200`; http stat code ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible APT28 Xtunnel Activity`; flow:established,to server; content:`GET`; http method; content:`Mozilla ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN PTsecurity MSIL/Biskvit.A Check in`; flow:established,to server; urilen:15; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Jaff Ransomware Checkin`; flow:to server,established; content:`GET`; http method; content:`fkksjobnn43 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WS/JS Downloader Mar 07 2017 M2`; flow:established,to server; content:`/counter/?`; http uri; fast pattern ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS RIG EK URI Struct Feb 26 2017`; flow:established,to server; urilen: 90; content:`oq `; http uri ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN JS/Nemucod requesting EXE payload 2016 02 06`; flow:established,to server; content:`.vbn`; http uri; ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET MOBILE MALWARE Trojan Banker.AndroidOS.Marcher.a Checkin`; flow:to server,established; content:`POST`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Moose CnC Request M2`; flow:to server,established; urilen:1; content:`GET`; http method; content:`PHPSESSID ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Enigma Locker Checkin`; flow:to server,established; urilen:8; content:`GET`; http method; content:`/get ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Possible Psiphon Proxy Tool traffic`; flow:established,to server; urilen:1; content:`POST`; http method ...
alert http $HTTP SERVERS any $EXTERNAL NET any (msg:`ET WEB SERVER Possible Darkleech C2`; flow:established,to server; content:`/blog/?`; http uri; depth:7; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M9`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M8`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M7`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M6`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M5`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M4`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M3`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M2`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Ponmocup HTTP Request (generic) M1`; flow:established,to server; content:` `; http cookie; pcre:`/^ a ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET SCAN abdullkarem Wordpress PHP Scanner`; flow:established,to server; content:`GET`; http method; content:`.php ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Elise CnC Beacon 3 M2`; flow:to server,established; content:`GET`; http method; content:`.html ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Dridex Post Check in Activity`; flow:established,to server; content:`POST`; http method; content:`Mozilla ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET WEB SERVER FOX SRT Backdoor CryptoPHP Shell C2 POST (fsockopen)`; flow:established,to server; content:`POST ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Tinba Checkin`; flow:established,to server; content:`POST`; http method; content:` 0d 0a 0d 0a `; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Zbot POST Request to C2`; flow:established,to server; content:`POST`; http method; content:`.php`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Backdoor.Win32/Dervec.gen Connectivity Check to Google`; flow:established,to server; content:`HOST 3a ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1`; flow:established,to server; content:`POST ...
alert http $EXTERNAL NET any $HTTP SERVERS any (msg:`ET TROJAN China Chopper Command Struct`; flow:to server,established; content:`POST`; nocase; http method; content ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed Adwind RAT CnC DNS Query`; dns query; content:`21736.xyz`; nocase; isdataat:1,relative; pcre:`/(?:^ \. ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed Adwind RAT CnC DNS Query`; dns query; content:`12724.xyz`; nocase; isdataat:1,relative; pcre:`/(?:^ \. ...
alert dns $HOME NET any any any (msg:`ET TROJAN Observed Adwind RAT CnC DNS Query`; dns query; content:`15438.xyz`; nocase; isdataat:1,relative; pcre:`/(?:^ \. ...
alert tls $EXTERNAL NET any $HOME NET any (msg:`ET TROJAN Observed Malicious SSL Cert (MageCart Group 12)`; flow:from server,established; tls cert subject; content ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Successful My ADP Phish (set) 2017 02 16`; flow:to server,established; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY OnePlus phone data leakage`; flow:to server,established; content:`POST`; http method; content:`/cloud ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Possible WinHttpRequest (no .exe)`; flow:to server,established; content:`Mozilla/4.0 (compatible 3b 20 ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN jFect HTTP CnC Checkin`; flow:established,to server; content:`POST`; http method; content:`/ping`; http ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M2`; flow:to server,established; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M1`; flow:to server,established; content: ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Hacking Team Implant Exfiltration`; flow:established, to server; content:`POST`; http method; pcre:` ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Hacking Team Android Implant Exfiltration`; flow:established, to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Hacking Team Scout Windows Implant Exfiltration`; flow:established,to server; content:`POST`; http method ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Hacking Team Elite Windows Implant Exfiltration`; flow:established,to server; content:`POST`; http method ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS HanJuan EK Current Campaign Landing URI Struct Jul 10 2015`; flow:established,to server; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS KaiXin Secondary Landing Page`; flow:to server,established; content:`/win.html`; http uri; fast ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN WVW CnC Beacon 3`; flow:to server,established; urilen:4; content:`Empty 0d 0a `; http header; http request ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN Possible Duqu 2.0 Request`; flow:established,to server; pcre:`/^COUNTRY a z0 9 {26}$/C`; http header ...
alert http any any $HOME NET any (msg:`ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request`; flow:to server,established; content:`POST`; http method; urilen ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET INFO Suspicious User Agent (1 space)`; flow:to server,established; content:`User Agent 3a 20 0d 0a `; http header ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Vulnerable Java Version 1.8.x Detected`; flow:established,to server; content:` Java/1.8.0 `; http user ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Terse alphanumeric executable downloader high likelihood of being hostile`; flow:established ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET POLICY Outdated Flash Version M1`; flow:established,to server; content:`x flash version 3a 20 `; http header ...
alert http $EXTERNAL NET any $HOME NET any (msg:`ET CURRENT EVENTS Possible Metasploit Java Payload`; flow:established,to client; flowbits:isset,ET.http.javaclient ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET TROJAN FakeAV.dfze/FakeAVIK Checkin`; flow:established,to server; urilen: 150; content:`GET`; http method; content ...
#alert tcp any any any $SSH PORTS (msg:`ET TROJAN Linux/Kimodin SSH backdoor activity`; flow:established,to server; content:`SSH 2.0 `; depth:8; isdataat:22,relative ...
alert http $HOME NET any $EXTERNAL NET any (msg:`ET CURRENT EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST`; flow:established ...
Number of topics: 1000

Show recent changes with 50, 100, 200, 500, 1000 topics, all changes

Related topics: RSS feed, rounded corners RSS feed, ATOM feed, WebNotify, site changes, site map

Topic revision: r4 - 2006-11-15 - TWikiContributor
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats