#Domains albdfhln.com snbhdfln.com enbdfhln.com ksbfdlch.com kobdflnh.com alcgkown.com encgkown.com ksckgweo.com sndvjpqt.com sneomuwn.com rxemuown.com alfpmrnq.org algspvqt.org alhvrytw.org aliyuown.org koiyuwno.org aljnwpyo.org alkpmrnq.net snkrpmnq.net enkpmrnq.net allqntpr.net kolqnprt.net almspvqt.net alntqwrv.net alovrytw.net alvpnsor.in alwqntpr.in almspvru.net enmspvru.net alovsmtx.net #IPs 169.239.128.110 95.213.246.242 190.115.18.241 185.144.83.85 209.99.40.222 5.45.86.234 208.91.197.91 37.1.202.157 208.100.26.251 185.82.203.225 54.37.205.28 146.185.239.17 #Samples: b8ec727d4f97edaaa8ddeeac3673a1aed94ee95aacde5f93e66fc0db30c3dec8 770113543f9c189d306ea2984482ee445c9c4723a6e415cf7614b0a448f38b66 f33aaa2360e89fc9015cb14d9441b87f169a5ca0451aa9d9adfd440946212668 #Rules: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"FlashPoint DMSniff UserAgent"; flow:established,to_server; content:"DSNF_"; http_user_agent; classtype:trojan-activity; sid:9000030; rev:1; metadata:author Jason Reaves;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"FlashPoint DMSniff Checkin Response"; flow:established,to_client; content:"200"; http_stat_code; content:"Error"; content:"This Account Has Been Suspended"; http_server_body; classtype:trojan-activity; sid:9000031; rev:1; metadata:author Jason Reaves;)