Mirrors/APT_CyberCriminal_Campagin_Collections
6
0
Fork 0
mirror of https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections synced 2024-06-25 00:10:26 +00:00
Code Issues Projects Releases Wiki Activity

2018.03.08.hidden-cobra-targets-turkish-financial

Browse Source
This commit is contained in:
CyberMonitor 2018-06-05 16:43:05 +08:00
parent 7986ba1ab0
commit ca061e92f3
2 changed files with 85 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
2018/2018.03.08.hidden-cobra-targets-turkish-financial/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.pdf Normal file
View File

Binary file not shown.

85
2018/2018.05.23.New_VPNFilter/snort.rules Normal file
View File

@ -0,0 +1,85 @@
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"action=gozila"; nocase; http_client_body; pcre:"/&?(ping(%5f|_)size=(%26|&)[^&\r\n]+?(%26&|&&)?|next_page=[^&\r\n]+?\.\.\/|submit_button=[^&\r\n]+?(?:%0[ad])?|wait_time=[^&\x2e\d\r\n]+?)/Pi"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26276; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"action=gozila"; nocase; http_uri; pcre:"/&?(ping(%5f|_)size=(%26|&)[^&\r\n]+?(%26&|&&)?|next_page=[^&\r\n]+?\.\.\/|submit_button=[^&\r\n]+?(?:%0[ad])?|wait_time=[^&\x2e\d\r\n]+?)/Ui"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26277; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"%74%74%63%70%5f%69%70"; http_client_body; pcre:"/%74%74%63%70%5f%69%70%3d.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"ttcp_ip"; http_client_body; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"wait_time="; nocase; http_uri; pcre:"/[?&]wait_time=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"wait_time="; nocase; http_client_body; pcre:"/wait_time=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:denial-of-service; sid:46287; rev:2;)
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:2;)
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p="; http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D 0A|"; within:263; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50; metadata:ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow"; flow:to_server,established; content:"/cgi-bin/filemanager/wfm2Login.cgi"; fast_pattern:only; http_uri; content:"X-Forwarded-For"; nocase; http_raw_header; isdataat:90,relative; pcre:"/X-Forwarded-For:[^\n\r]{90}/Hsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.qnap.com/en/security-advisory/nas-201712-15; classtype:web-application-attack; sid:46301; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46305; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46306; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB"; nocase; http_client_body; pcre:"/(^|&)SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46307; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46308; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive"; http_header; content:!"Accept"; http_header; content:!"Content-Type"; http_header; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"="; depth:4; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"<br><br><b><big>"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"JFIF"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established; content:".p HTTP/1.1"; fast_pattern:only; content:"/plugins/"; http_uri; pcre:"/\/plugins\/[a-z]{3,10}\.p/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established; content:"/post.php?"; fast_pattern:only; http_uri; content:"pl="; http_uri; content:"&education="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"p="; nocase; http_uri; isdataat:260,relative; pcre:"/[?&]p=[^&\s]{260}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46309; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; isdataat:35,relative; pcre:"/[?&]u=[^&\s]{35}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46310; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; content:"/administrator/components/com_joomlaupdate/restore.php"; fast_pattern:only; http_uri; content:"factory="; nocase; http_uri; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:ruleset community, service http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|"; fast_pattern:only; metadata:ruleset community, service ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; content:"administrator/components/com_joomlaupdate/restoration.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php"; fast_pattern:only; content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase; content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase; content:"VERIFY="; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious file download attempt"; flow:to_server,established; content:"|2F 70 6F 63|"; http_uri; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:37963; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt"; flow:to_server,established; content:"/jsproxy"; depth:8; fast_pattern; nocase; http_uri; content:"|0D 0A|Content-Length: "; nocase; byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin; sid:45555; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|"; depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-nlog.pl access"; flow:to_server,established; content:"/rpc-nlog.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|"; depth:2; content:"|FF ED 00 00 00 00|"; distance:0; metadata:ruleset community; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase; http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase; http_uri; content:"button="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:2;)
# alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/|3B|"; nocase; http_uri; content:"$"; distance:0; http_uri; content:"IFS"; within:4; http_uri; metadata:ruleset community, service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,59406; reference:cve,2013-3071; reference:url,osvdb.org/show/osvdb/92555; classtype:attempted-admin; sid:35734; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt"; flow:to_server,established; content:"/apply_noauth.cgi"; depth:17; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41095; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established; content:"/lang_check"; nocase; http_uri; content:"hidden_lang_avi="; nocase; http_client_body; isdataat:36,relative; content:!"&"; within:36; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10174; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41096; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt"; flow:to_server,established; content:"/passwordrecovered.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,95457; reference:cve,2017-5521; reference:url,kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability; classtype:attempted-recon; sid:41504; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_client_body; pcre:"/(^|&)ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41698; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping_IPAddr=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41699; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41700; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?host_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41748; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_client_body; pcre:"/(^|&)host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41749; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]host_name=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41750; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; pcre:"/[?&]host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41751; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"currentsetting.htm"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44687; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"todo=syscmd"; fast_pattern:only; content:"cmd="; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"$IFS"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:44698; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"${IFS}"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:44699; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information leak attempt"; flow:to_server,established; content:"/BRS_netgear_success.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-recon; sid:45001; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; metadata:ruleset community; classtype:attempted-admin; sid:46317; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; urilen:27; content:"/blog-trabajos/n65dj17i1836"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; metadata:ruleset community; classtype:attempted-admin; sid:46318; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/wlg_sec_profile_main.cgi"; fast_pattern:only; http_uri; content:"ssid="; nocase; http_client_body; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/fw_serv_add.cgi"; fast_pattern:only; http_uri; content:"userdefined="; nocase; http_client_body; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server,no_stream; content:"M-SEARCH"; depth:9; content:"ssdp:all"; fast_pattern:only; detection_filter:track by_src,count 50,seconds 1; metadata:ruleset community, service ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:3;)