From 5d82ab0460210c502103be8456860dad6b79f56d Mon Sep 17 00:00:00 2001
From: kev <vimagick@gmail.com>
Date: Mon, 8 Jun 2020 14:16:46 +0800
Subject: [PATCH] update snort

---
 snort/Dockerfile                 |    3 +
 snort/README.md                  |    7 +-
 snort/data/rules/community.rules | 2191 ++++++++++++++++--------------
 snort/data/snort.conf            |    4 +-
 snort/data/u2json.conf           |    7 +
 snort/docker-compose.yml         |    3 +-
 6 files changed, 1199 insertions(+), 1016 deletions(-)
 create mode 100644 snort/data/u2json.conf

diff --git a/snort/Dockerfile b/snort/Dockerfile
index 6217b0d..f1fc6de 100644
--- a/snort/Dockerfile
+++ b/snort/Dockerfile
@@ -22,9 +22,12 @@ RUN set -xe \
                 /etc/snort/preproc_rules \
                 /usr/local/lib/snort_dynamicrules \
     && ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \
+    && curl -sSL https://bootstrap.pypa.io/get-pip.py | python \
+    && pip install idstools \
     && yum clean all
 
 COPY data/snort.conf /etc/snort/snort.conf
+COPY data/u2json.conf /etc/snort/u2json.conf
 
 ENTRYPOINT ["snort"]
 CMD ["--help"]
diff --git a/snort/README.md b/snort/README.md
index fd97599..5896298 100644
--- a/snort/README.md
+++ b/snort/README.md
@@ -9,9 +9,10 @@ traffic analysis and packet logging.
 ```yaml
 snort:
   image: vimagick/snort
-  command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
+  command: -q -c /etc/snort/snort.conf -y -i eth0
   volumes:
     - ./data/snort.conf:/etc/snort/snort.conf
+    - ./data/u2json.conf:/etc/snort/u2json.conf
     - ./data/rules:/etc/snort/rules
     - ./data/log:/var/log/snort
   cap_add:
@@ -29,6 +30,8 @@ alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;)
 ```bash
 $ docker-compose up -d
 
+$ docker-compose exec snort idstools-u2json @/etc/snort/u2json.conf --stdout
+
 $ tail -f data/log/alert
 snort_1  | 08/26/18-06:47:35.460754  [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y
 snort_1  | 08/26/18-06:47:35.460835  [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x
@@ -37,7 +40,7 @@ $ tcpdump -n -r data/log/snort.log.xxx
 06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12
 06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12
 
-$ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done
+$ while :; do inotifywait -q -e modify data/log/alert.json && play -q alert.wav; done
 ```
 
 [1]: https://snort.org/
diff --git a/snort/data/rules/community.rules b/snort/data/rules/community.rules
index ed11893..85a57c7 100644
--- a/snort/data/rules/community.rules
+++ b/snort/data/rules/community.rules
@@ -1,4 +1,4 @@
-# Copyright 2001-2018 Sourcefire, Inc. All Rights Reserved.
+# Copyright 2001-2020 Sourcefire, Inc. All Rights Reserved.
 #	
 # This file contains rules that were created by Sourcefire, Inc. and other third parties
 # (the "GPL Rules") that are distributed under the GNU General Public License (GPL),
@@ -26,7 +26,7 @@
 # alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;)
 # alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetSphere access"; flow:established,to_client; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13;)
-# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:11;)
+# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:12;)
 # alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9;)
 # alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10;)
@@ -35,15 +35,15 @@
 # alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10;)
 # alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14;)
-# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server"; depth:17; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:12;)
+# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server"; depth:17; nocase; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; classtype:attempted-admin; sid:213; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; classtype:attempted-admin; sid:214; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:ruleset community; classtype:attempted-admin; sid:215; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; classtype:attempted-admin; sid:216; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:213; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:214; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:215; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:216; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10;)
@@ -60,11 +60,11 @@
 # alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:233; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:234; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:235; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:233; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:234; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:235; rev:9;)
 # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:237; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:237; rev:11;)
 # alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10;)
@@ -76,11 +76,11 @@
 # alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8;)
 # alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10;)
 # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11;)
-# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:bad-unknown; sid:253; rev:14;)
-# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns; classtype:bad-unknown; sid:254; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service dns; classtype:bad-unknown; sid:253; rev:15;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:policy max-detect-ips drop, ruleset community, service dns; classtype:bad-unknown; sid:254; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:24;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19;)
@@ -90,14 +90,14 @@
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:265; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:266; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
-# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;)
+# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:12;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16;)
 # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:13;)
 # alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:287; rev:12;)
@@ -108,20 +108,20 @@
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12;)
 # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; isdataat:512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:22;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:23;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;)
@@ -256,9 +256,9 @@
 # alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community, service ftp; classtype:bad-unknown; sid:491; rev:15;)
 # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11;)
-# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,osvdb.org/show/osvdb/436; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:19;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:21;)
 # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename"; nocase; metadata:ruleset community, service http; classtype:bad-unknown; sid:495; rev:14;)
-# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:20;)
+# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21;)
 # alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7;)
@@ -267,18 +267,18 @@
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12;)
 # alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:13;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|"; depth:2; metadata:ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:".."; offset:2; metadata:ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|"; depth:2; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:".."; offset:2; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9;)
 # alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; dsize:<140; content:"NICK "; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542; rev:20;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; isdataat:!139; content:"NICK "; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:543; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:544; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:545; rev:9;)
@@ -297,53 +297,53 @@
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:575; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:577; rev:22;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:578; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:579; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:20;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:582; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:583; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:19;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request UDP attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:585; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:587; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:26;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:575; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:577; rev:23;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:578; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:579; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:582; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:583; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:20;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:585; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:587; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:27;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; reference:url,osvdb.org/show/osvdb/1007; classtype:attempted-admin; sid:604; rev:12;)
-# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:601; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-user; sid:602; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:603; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:14;)
+# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unsuccessful-user; sid:605; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:606; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;)
-# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:11;)
-# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; classtype:attempted-recon; sid:613; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:610; rev:16;)
+# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unsuccessful-user; sid:611; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:12;)
+# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11;)
 # alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; classtype:attempted-recon; sid:616; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community; classtype:attempted-recon; sid:619; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; classtype:attempted-recon; sid:622; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; classtype:attempted-recon; sid:626; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; classtype:attempted-recon; sid:627; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; classtype:attempted-recon; sid:630; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; isdataat:!0; flags:SF12; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:631; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:632; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:634; rev:8;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:635; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:636; rev:7;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:ruleset community; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:13;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;)
@@ -355,8 +355,8 @@
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:647; rev:15;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:648; rev:18;)
-# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:649; rev:14;)
-# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:650; rev:14;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:649; rev:15;)
+# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:650; rev:15;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:28;)
 # alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16;)
@@ -386,7 +386,7 @@
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10;)
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16;)
+# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10;)
@@ -410,7 +410,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; content:"/YaBB"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; content:"/wwwboard/passwd.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; content:"/webdriver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; reference:url,attack.mitre.org/techniques/T1065; classtype:web-application-attack; sid:809; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; content:"/whois_raw.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1."; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; content:"/webplus?about"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22;)
@@ -428,7 +428,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; content:"/maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:828; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; content:"/nph-test-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; content:"/rguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; content:"/rwwwshell.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; content:"/test-cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26;)
@@ -456,26 +456,26 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; content:"/man.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; content:"/snork.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; content:"/w3-msql/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csh access"; flow:to_server,established; content:"/csh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csh access"; flow:to_server,established; content:"/csh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; content:"/day5datacopier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; content:"/ksh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; content:"/ksh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; content:"/post-query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; content:"/visadmin.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; content:"/rsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; content:"/rsh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; content:"/dumpenv.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; content:"/snorkerz.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:870; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; content:"/survey.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; content:"/tcsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; content:"/tcsh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; content:"/win-c-sample.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; content:"/rksh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; content:"/rksh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; content:"/w3tvars.pm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:878; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; content:"/admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; content:"/LWGate"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP archie access"; flow:to_server,established; content:"/archie"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:881; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; content:"/calendar"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:882; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; content:"/flexform"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bash access"; flow:to_server,established; content:"/bash"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bash access"; flow:to_server,established; content:"/bash"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf access"; flow:to_server,established; content:"/phf"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; content:"/www-sql"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; content:"/wwwadmin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:888; rev:17;)
@@ -492,86 +492,86 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; content:"tstisapi.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; content:"/cfide/administrator/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; content:"/onrequestend.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; content:"/cfide/administrator/startstop.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:22;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:28;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:941; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; content:"/_private/orders.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:942; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:943; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:944; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:945; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:946; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:947; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; content:"/_private/form_results.txt"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; content:"/_private/registrations.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:949; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:950; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:952; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; content:"/_private/form_results.htm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:22;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; content:"/_private/register.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:956; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; content:"/_private/registrations.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:957; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; content:"/service.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:960; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:24;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; content:"/users.pwd"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:964; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; content:"..../"; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:24;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:25;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; content:"/_private/register.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:968; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; content:"/cfide/administrator/index.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; content:"/cfappman/index.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; content:"/cfdocs/exampleapp/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; content:"/cfdocs/snippets/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/application.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; content:"/onrequestend.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; content:"/cfide/administrator/startstop.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:29;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:941; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; content:"/_private/orders.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:942; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:943; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:944; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:945; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:946; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; content:"/_private/orders.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:947; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; content:"/_private/form_results.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; content:"/_private/registrations.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:949; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; content:"/cfgwiz.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:950; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:952; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1205; reference:cve,2002-1717; classtype:web-application-activity; sid:953; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; content:"/_private/form_results.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; content:"/_private/register.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:956; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; content:"/_private/registrations.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:957; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; content:"/service.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:960; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; content:"/users.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:964; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; content:"..../"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; content:"/dvwssr.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:26;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; content:"/_private/register.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:968; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; metadata:ruleset community, service http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; content:".printer"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; content:"/*.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|.."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:26;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; content:".bat?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; content:".bat?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:cve,2019-0232; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:".htw?CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; content:"/scripts/CGImail.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/ctguestb.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/details.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MSProxy access"; flow:to_server,established; content:"/scripts/proxy/w3proxy.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smiU"; metadata:ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:31;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smiU"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:32;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; content:"/sensepost.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS achg.htr access"; flow:to_server,established; content:"/iisadmpwd/achg.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; content:"/msadc/samples/adctest.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:992; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22;)
@@ -583,19 +583,19 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir access"; flow:to_server,established; content:"/scripts/iisadmin/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:ruleset community, service http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1002; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:1002; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1003; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; content:"/iissamples/exair/howitworks/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; content:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; content:"/Form_JScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1008; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1011; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase; http_uri; content:"Digits="; nocase; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; content:"/scripts/tools/getdrvs.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1015; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS global.asa access"; flow:to_server,established; content:"/global.asa"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS global.asa access"; flow:to_server,established; content:"/global.asa"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:26;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; fast_pattern:only; metadata:ruleset community, service http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; content:"CiRestriction=none"; fast_pattern; nocase; http_uri; content:"ciHiliteType=Full"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30;)
@@ -647,7 +647,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1068; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1069; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; metadata:ruleset community, service http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htpasswd access"; flow:to_server,established; content:".htpasswd"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1071; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htpasswd access"; flow:to_server,established; content:".htpasswd"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:1071; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; content:".nsf/"; http_uri; content:"../"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; content:"/scripts/samples/search/webhits.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; content:"/scripts/postinfo.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21;)
@@ -664,7 +664,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"?STRENGUR"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; content:"/web_store.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; content:"/shop.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri; content:"config.ini"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1090; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri; content:"config.ini"; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; classtype:web-application-attack; sid:1090; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; content:"??????????"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"keys"; distance:0; nocase; http_uri; content:"catigory=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; content:"/cached_feed.cgi"; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18;)
@@ -673,8 +673,8 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; content:"/webplus.cgi?"; nocase; http_uri; content:"Script=/webplus/webping/webping.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; content:"_private/shopping_cart.mdb"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; content:"/cybercop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1099; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:web-application-activity; sid:1100; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:web-application-activity; sid:1101; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1102; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; content:"/admin-serv/config/admpw"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; content:"/bb-hostsvc.sh?"; nocase; http_uri; content:"HOSTSVC"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18;)
@@ -690,18 +690,18 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l"; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1118; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; content:"/mlog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; content:"/mylog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1122; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:1122; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; content:"?PageServices"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; content:"/config/check.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1124; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; content:"/webcart/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; content:"_AuthChangeUrl?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; content:"/scripts/convert.bas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; content:"/scripts/cpshost.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; content:".htaccess"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1129; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1130; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1131; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; content:".htaccess"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-recon; sid:1129; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:1130; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:1131; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; classtype:attempted-recon; sid:1133; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; content:"/admin.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd.."; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1136; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18;)
@@ -709,7 +709,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; content:"/guestbook.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler access"; flow:to_server,established; content:"/handler"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community, service http; classtype:attempted-recon; sid:1142; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP root access"; flow:to_server,established; content:"/~root"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1145; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP root access"; flow:to_server,established; content:"/~root"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:1145; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/config/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1146; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; content:"cat "; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/orders/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1148; rev:13;)
@@ -724,41 +724,41 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; content:"/PSUser/PSCOErrPage.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; content:"/windmail.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; content:"/webplus?script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; content:"?wp-"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; content:"?wp-"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; content:"/passwd.php3"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; content:"/webdist.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; content:"/quikstore.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpm_query access"; flow:to_server,established; content:"/rpm_query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mall log order access"; flow:to_server,established; content:"/mall_log_files/order.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bigconf.cgi access"; flow:to_server,established; content:"/bigconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP architext_query.pl access"; flow:to_server,established; content:"/ews/architext_query.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/jj access"; flow:to_server,established; content:"/cgi-bin/jj"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwboard.pl access"; flow:to_server,established; content:"/wwwboard.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum read access"; flow:to_server,established; content:"/read.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1178; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum violation access"; flow:to_server,established; content:"/violation.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon; sid:1179; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP get32.exe access"; flow:to_server,established; content:"/get32.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Annex Terminal DOS attempt"; flow:to_server,established; content:"/ping?query="; http_uri; metadata:ruleset community, service http; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-cs-dump"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-info"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-cs-dump"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-info"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bizdbsearch attempt"; flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri; content:"mail"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-diff"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-diff"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SalesLogix Eviewer web command attempt"; flow:to_server,established; content:"/slxweb.dll/admin?command="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361; classtype:web-application-attack; sid:1187; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-start-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-stop-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-uncheckout"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-start-ver"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-stop-ver"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-uncheckout"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan access"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi File attempt"; flow:to_server,established; content:"/sojourn.cgi?"; nocase; http_uri; content:"cat="; distance:0; nocase; http_uri; content:"%00"; nocase; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi access"; flow:to_server,established; content:"/sojourn.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname attempt"; flow:to_server,established; content:"/infosrch.cgi?"; fast_pattern; nocase; http_uri; content:"fname="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack; sid:1196; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum code access"; flow:to_server,established; content:"/code.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1197; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-usr-prop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-usr-prop"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community, service http; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:18;)
 # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL"; nocase; metadata:ruleset community, service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17;)
 # alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; content:"403"; http_stat_code; metadata:ruleset community, service http; classtype:attempted-recon; sid:1201; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.vts access"; flow:to_server,established; content:"/search.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:14;)
@@ -767,7 +767,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cachemgr.cgi access"; flow:to_server,established; content:"/cachemgr.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep access"; flow:to_server,established; content:"/htgrep"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP responder.cgi access"; flow:to_server,established; content:"/responder.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; content:"/.nsconfig"; http_uri; metadata:ruleset community, service http; reference:url,osvdb.org/show/osvdb/5709; classtype:attempted-recon; sid:1209; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; content:"/.nsconfig"; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1209; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP web-map.cgi access"; flow:to_server,established; content:"/web-map.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1211; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Admin_files access"; flow:to_server,established; content:"/admin_files"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1212; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP backup access"; flow:to_server,established; content:"/backup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1213; rev:13;)
@@ -786,21 +786,21 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:ruleset community, service ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSave access"; flow:to_server,established; content:"/FtpSave.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; metadata:ruleset community; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; metadata:ruleset community, service http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established; content:"/FtpSaveCSP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established; content:"/FtpSaveCVP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet directory traversal attempt"; flow:to_server,established; content:"/SWEditServlet"; http_uri; content:"template=../../../"; metadata:ruleset community, service http; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:23;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:25;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:28;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:23;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:30;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:24;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:ruleset community, service http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:26;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:29;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:31;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:22;)
 # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; isdataat:200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910; classtype:attempted-user; sid:1254; rev:16;)
 # alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"/db_mysql.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
@@ -823,14 +823,14 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:22;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office Outlook web dos"; flow:to_server,established; content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri; content:"mailbox="; nocase; content:"%%%"; metadata:ruleset community, service http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; content:"/readme.eml"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS _mem_bin access"; flow:to_server,established; content:"/_mem_bin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:16;)
-# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:17;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:11;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER readme.eml autoload attempt"; flow:to_client,established; file_data; content:"window.open|28 22|readme.eml|22|"; nocase; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sml3com access"; flow:to_server,established; content:"/graphics/sml3com"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12;)
@@ -843,17 +843,17 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi directory traversal attempt"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; content:"/../../../../"; http_raw_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1305; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi access"; flow:to_server,established; content:"/store.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendmessage.cgi access"; flow:to_server,established; content:"/sendmessage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; content:"/zsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; content:"/zsh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; content:".htgroup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1374; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; content:".htgroup"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-activity; sid:1374; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jrun directory browse attempt"; flow:to_server,established; content:"/?.jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3592; reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:23;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:23;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi"; metadata:ruleset community, service ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_VBScript.asp access"; flow:to_server,established; content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1380; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"event="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13;)
@@ -862,7 +862,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mod-plsql administration access"; flow:to_server,established; content:"/admin_/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:1386; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:22;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:23;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:1390; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP lastlines.cgi access"; flow:to_server,established; content:"/lastlines.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22;)
 # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17;)
@@ -873,44 +873,44 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established; content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; http_uri; pcre:"/file=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/samples/ access"; flow:to_server,established; content:"/scripts/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AHG search.cgi access"; flow:to_server,established; content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri; content:"template="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3985; reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi access"; flow:to_server,established; content:"/store/agora.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smssend.php access"; flow:to_server,established; content:"/smssend.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; dsize:>1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; isdataat:1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi access"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:20;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:18;)
-# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:17;)
-# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:18;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:18;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:19;)
+# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:18;)
+# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"name=|22 CC CC CC CC CC|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition file upload attempt"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"form-data|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:22;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:13;)
 # alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .history access"; flow:to_server,established; content:"/.history"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1433; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; content:"/.bash_history"; http_uri; metadata:ruleset community, service http; reference:bugtraq,337; reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; content:"/.bash_history"; http_uri; metadata:ruleset community, service http; reference:bugtraq,337; reference:cve,1999-0408; reference:url,attack.mitre.org/techniques/T1139; classtype:web-application-attack; sid:1434; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:16;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http; classtype:policy-violation; sid:1436; rev:12;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smiH"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:1437; rev:27;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1439; rev:17;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1440; rev:17;)
-# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1441; rev:10;)
-# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1442; rev:10;)
-# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1443; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community; classtype:bad-unknown; sid:1444; rev:9;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; classtype:successful-admin; sid:1441; rev:11;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; classtype:successful-admin; sid:1442; rev:11;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; classtype:successful-admin; sid:1443; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|"; depth:2; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:1444; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1445; rev:9;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:ruleset community, service smtp; classtype:attempted-recon; sid:1446; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; classtype:attempted-recon; sid:1446; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Vintra Mailserver expn *@"; flow:to_server,established; content:"expn"; fast_pattern:only; content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:ruleset community, service smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13;)
@@ -926,7 +926,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histsvc.sh access"; flow:to_server,established; content:"/bb-histsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-rep.sh access"; flow:to_server,established; content:"/bb-rep.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-replog.sh access"; flow:to_server,established; content:"/bb-replog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:17;)
-# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC message"; flow:established; dsize:<140; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:15;)
+# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC message"; flow:established; isdataat:!139; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:16;)
 # alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP auktion.cgi access"; flow:to_server,established; content:"/auktion.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiforum.pl access"; flow:to_server,established; content:"/cgiforum.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:20;)
@@ -940,17 +940,17 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cal_make.pl access"; flow:to_server,established; content:"/cal_make.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailit.pl access"; flow:to_server,established; content:"/mailit.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; content:"/swc"; nocase; http_uri; content:"ctr="; distance:0; nocase; http_uri; urilen:>500; metadata:ruleset community, service http; reference:bugtraq,6581; reference:nessus,10493; reference:url,osvdb.org/show/osvdb/392; classtype:attempted-user; sid:1478; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; content:"/swc"; nocase; http_uri; content:"ctr="; distance:0; nocase; http_uri; urilen:>500; metadata:ruleset community, service http; reference:bugtraq,6581; reference:nessus,10493; classtype:attempted-user; sid:1478; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi access"; flow:to_server,established; content:"/ttawebtop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.cgi access"; flow:to_server,established; content:"/upload.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view_source access"; flow:to_server,established; content:"/view_source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl access"; flow:to_server,established; content:"/ustorekeeper.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:22;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; reference:url,osvdb.org/show/osvdb/274; classtype:web-application-activity; sid:1485; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1485; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ctss.idc access"; flow:to_server,established; content:"/ctss.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi directory traversal attempt"; flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; metadata:ruleset community, service http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php attempt"; flow:to_server,established; content:"/support/common.php"; http_uri; content:"ForumLang=../"; metadata:ruleset community, service http; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php access"; flow:to_server,established; content:"/support/common.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1997; reference:bugtraq,9361; reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; content:"/newuser?Image=../.."; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:17;)
@@ -958,12 +958,12 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established; content:"/generate.cgi"; http_uri; content:"content=../"; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi access"; flow:to_server,established; content:"/generate.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-activity; sid:1495; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP spin_client.cgi access"; flow:to_server,established; content:"/spin_client.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community, service http; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ExAir access"; flow:to_server,established; content:"/exair/search/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; content:"/a1disp3.cgi?"; fast_pattern:only; http_uri; content:"/../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi access"; flow:to_server,established; content:"/a1disp3.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admentor admin.asp access"; flow:to_server,established; content:"/admentor/admin/admin.asp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; content:"/PRN/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1505; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; content:"/NUL/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1506; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl arbitrary command execution attempt"; flow:to_server,established; content:"/alibaba.pl|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18;)
@@ -977,10 +977,10 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat access"; flow:to_server,established; content:"/input2.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat arbitrary command execution attempt"; flow:to_server,established; content:"/envout.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat access"; flow:to_server,established; content:"/envout.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community, service http; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache ?M=D directory list attempt"; flow:to_server,established; content:"/?M=D"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3009; reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-activity; sid:1519; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; content:"/server-info"; http_uri; metadata:ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; content:"/server-status"; http_uri; metadata:ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; content:"/server-info"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; content:"/server-status"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl attempt"; flow:to_server,established; content:"/ans.pl?"; nocase; http_uri; content:"p=../../"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl access"; flow:to_server,established; content:"/ans.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD attempt"; flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:17;)
@@ -998,24 +998,24 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar_admin.pl access"; flow:to_server,established; content:"/calendar_admin.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1537; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; metadata:ruleset community; reference:bugtraq,1156; reference:cve,2000-0341; reference:nessus,10388; classtype:attempted-admin; sid:1538; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/ls access"; flow:to_server,established; content:"/cgi-bin/ls"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established; content:"Mode=debug"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0760; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established; content:"Mode=debug"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0760; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgimail access"; flow:to_server,established; content:"/cgimail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiwrap access"; flow:to_server,established; content:"/cgiwrap"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Catalyst command execution attempt"; flow:to_server,established; content:"/exec/show/config/cr"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco denial of service attempt"; flow:to_server,established; dsize:1; content:"|13|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1545; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco denial of service attempt"; flow:to_server,established; isdataat:0; isdataat:!1; content:"|13|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1545; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco HTTP double-percent DOS attempt"; flow:to_server,established; content:"/%%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1154; reference:cve,2000-0380; reference:nessus,10387; classtype:web-application-attack; sid:1546; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/csSearch.cgi"; http_uri; content:"setup="; content:"`"; content:"`"; distance:1; metadata:ruleset community, service http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch.cgi access"; flow:to_server,established; content:"/csSearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:27;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /CVS/Entries access"; flow:to_server,established; content:"/CVS/Entries"; http_uri; metadata:ruleset community, service http; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /CVS/Entries access"; flow:to_server,established; content:"/CVS/Entries"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsweb version access"; flow:to_server,established; content:"/cvsweb/version"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0670; reference:nessus,10465; classtype:web-application-activity; sid:1552; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dbman db.cgi access"; flow:to_server,established; content:"/dbman/db.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop access"; flow:to_server,established; content:"/dcshop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop orders.txt access"; flow:to_server,established; content:"/orders/orders.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop auth_user_file.txt access"; flow:to_server,established; content:"/auth_data/auth_user_file.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:cve,2000-0165; reference:nessus,10054; classtype:web-application-activity; sid:1558; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; metadata:ruleset community, service http; reference:cve,2000-0165; reference:nessus,10054; classtype:web-application-activity; sid:1558; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /doc/packages access"; flow:to_server,established; content:"/doc/packages"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /doc/ access"; flow:to_server,established; content:"/doc/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2120; reference:cve,2001-0065; reference:nessus,10579; classtype:attempted-admin; sid:1562; rev:18;)
@@ -1059,7 +1059,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch arbitrary file read attempt"; flow:to_server,established; content:"/htsearch?exclude=`"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch access"; flow:to_server,established; content:"/htsearch"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; metadata:ruleset community, service http; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"SERVER-WEBAPP iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; metadata:ruleset community; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"SERVER-WEBAPP iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; metadata:ruleset community, service http; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"SERVER-OTHER iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; metadata:ruleset community; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP icat access"; flow:to_server,established; content:"/icat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HyperSeek hsx.cgi access"; flow:to_server,established; content:"/hsx.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:14;)
@@ -1070,7 +1070,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler attempt"; flow:to_server,established; content:"/handler"; http_uri; content:"|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe attempt"; flow:to_server,established; content:"/GWWEB.EXE?"; nocase; http_uri; content:"HELP="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep attempt"; flow:to_server,established; content:"/htgrep"; http_uri; content:"hdr=/"; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-attack; sid:1615; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugzilla doeditvotes.cgi access"; flow:to_server,established; content:"/doeditvotes.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; content:".asp"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:26;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; classtype:attempted-admin; sid:1621; rev:20;)
@@ -1084,17 +1084,17 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"SERVER-OTHER Xtramail Username overflow attempt"; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; metadata:ruleset community; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb access"; flow:to_server,established; content:"/YaBB"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:1637; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; classtype:network-scan; sid:1638; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1638; rev:10;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1639; rev:13;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1640; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"SERVER-OTHER DB2 dos attempt"; flow:to_server,established; dsize:1; metadata:ruleset community; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"SERVER-OTHER DB2 dos attempt"; flow:to_server,established; isdataat:0; isdataat:!1; metadata:ruleset community; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP document.d2w access"; flow:to_server,established; content:"/document.d2w"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP db2www access"; flow:to_server,established; content:"/db2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi attempt"; flow:to_server,established; content:"/test-cgi/*?*"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP testcgi access"; flow:to_server,established; content:"/testcgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7214; reference:cve,2003-1531; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.cgi access"; flow:to_server,established; content:"/test.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1646; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe command attempt"; flow:to_server,established; content:"/perl.exe?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl command attempt"; flow:to_server,established; content:"/perl?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:20;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe command attempt"; flow:to_server,established; content:"/perl.exe?"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl command attempt"; flow:to_server,established; content:"/perl?"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tst.bat access"; flow:to_server,established; content:"/tst.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP environ.pl access"; flow:to_server,established; content:"/environ.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1651; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP campas attempt"; flow:to_server,established; content:"/campas?|0A|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:22;)
@@ -1103,8 +1103,8 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pfdispaly.cgi access"; flow:to_server,established; content:"/pfdispaly.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pagelog.cgi directory traversal attempt"; flow:to_server,established; content:"/pagelog.cgi"; nocase; http_uri; content:"name=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pagelog.cgi access"; flow:to_server,established; content:"/pagelog.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:19;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established; content:"/sendmail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon; sid:1659; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS trace.axd access"; flow:to_server,established; content:"/trace.axd"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established; content:"/sendmail.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon; sid:1659; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS trace.axd access"; flow:to_server,established; content:"/trace.axd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1661; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /~ftp access"; flow:to_server,established; content:"/~ftp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1662; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP *%20.pl access"; flow:to_server,established; content:" .pl"; fast_pattern:only; http_uri; pcre:"/\/[^\r\n]*\x20.pl/Ui"; metadata:ruleset community, service http; reference:nessus,11007; reference:url,rtfm.vn.ua/inet/sec/cgi-bugs.htm; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:17;)
@@ -1166,13 +1166,13 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MachineInfo access"; flow:to_server,established; content:"/MachineInfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP emumail.cgi NULL attempt"; flow:to_server,established; content:"/emumail.cgi"; http_uri; content:"type="; nocase; content:"%00"; metadata:ruleset community, service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP emumail.cgi access"; flow:to_server,established; content:"/emumail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS +.htr code fragment attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-044; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004 ; classtype:web-application-attack; sid:1725; rev:24;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS +.htr code fragment attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-044; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004 ; classtype:web-application-attack; sid:1725; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS doctodep.btr access"; flow:to_server,established; content:"doctodep.btr"; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1726; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname access"; flow:to_server,established; content:"/infosrch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:20;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel join"; flow:to_server,established; dsize:<140; content:"JOIN "; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729; rev:15;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel join"; flow:to_server,established; isdataat:!139; content:"JOIN "; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl directory traversal attempt"; flow:to_server,established; content:"/ustorekeeper.pl"; nocase; http_uri; content:"file=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats access"; flow:to_server,established; content:"/a1stats/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1733; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044; reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:cve,2004-0695; reference:cve,2005-3683; classtype:attempted-admin; sid:1734; rev:50;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla Netscape XMLHttpRequest local file read attempt"; flow:to_client,established; file_data; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; metadata:ruleset community, service http; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:13;)
@@ -1186,7 +1186,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Blahz-DNS dostuff.php access"; flow:to_server,established; content:"/dostuff.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; metadata:ruleset community, service http; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Messagerie supp_membre.php access"; flow:to_server,established; content:"/supp_membre.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1747; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS users.xml access"; flow:to_server,established; content:"/users.xml"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1750; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"SERVER-OTHER cachefsd buffer overflow attempt"; flow:to_server,established; isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:12;)
@@ -1196,7 +1196,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; metadata:ruleset community, service http; reference:bugtraq,4672; reference:cve,2002-1734; classtype:web-application-activity; sid:1756; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 arbitrary command execution attempt"; flow:to_server,established; content:"/b2/b2-include/"; http_uri; content:"b2inc"; content:"http|3A|//"; metadata:ruleset community, service http; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:1759; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf arbitrary command execution attempt"; flow:to_server,established; content:"/phf"; fast_pattern; nocase; http_uri; content:"QALIAS"; nocase; content:"%0a"; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf arbitrary command execution attempt"; flow:to_server,established; content:"/phf?"; nocase; http_uri; content:"QALIAS"; fast_pattern:only; http_uri; content:"%0a"; nocase; http_raw_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:26;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; content:"/cgiproc?Nocfile="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; content:"/cgiproc?|24|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc access"; flow:to_server,established; content:"/cgiproc"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:16;)
@@ -1204,7 +1204,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.dll access"; flow:to_server,established; content:"/search.dll"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .DS_Store access"; flow:to_server,established; content:"/.DS_Store"; http_uri; metadata:ruleset community, service http; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .FBCIndex access"; flow:to_server,established; content:"/.FBCIndex"; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; fast_pattern:only; metadata:ruleset community; classtype:protocol-command-decode; sid:1771; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:protocol-command-decode; sid:1771; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS pbserver access"; flow:to_server,established; content:"/pbserver/pbserver.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-1089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-094; classtype:web-application-activity; sid:1772; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP php.exe access"; flow:to_server,established; content:"/php.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb_smilies.php access"; flow:to_server,established; content:"/bb_smilies.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:15;)
@@ -1222,7 +1222,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".cdx"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1804; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Reports CGI access"; flow:to_server,established; content:"/rwcgi60"; fast_pattern:only; http_uri; content:"setauth="; metadata:ruleset community, service http; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; content:".htr"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:ruleset community, service http; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; reference:nessus,11028; classtype:web-application-attack; sid:1806; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER Chunked-Encoding transfer attempt"; flow:to_server,established; content:"Transfer-Encoding: chunked|0D 0A 0D 0A 0D 0A|"; nocase; isdataat:!0,relative,rawbytes; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:policy-violation; sid:1807; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER Chunked-Encoding transfer with no data attempt"; flow:to_server,established; content:"Transfer-Encoding: chunked|0D 0A 0D 0A 0D 0A|"; nocase; isdataat:!0,relative; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0386; reference:cve,2002-0392; reference:nessus,10932; classtype:policy-violation; sid:1807; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache chunked encoding memory corruption exploit attempt"; flow:to_server,established; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"X-CCCCCCC|3A 20|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:1809; rev:19;)
 # alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit GOBBLE"; flow:to_client,established; content:"*GOBBLE*"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; classtype:successful-admin; sid:1810; rev:19;)
@@ -1232,7 +1232,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO VoIP DOS ATTEMPT"; flow:to_server,established; content:"/StreamingStatistics"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directory.php arbitrary command attempt"; flow:to_server,established; content:"/directory.php"; http_uri; content:"dir="; content:"|3B|"; metadata:ruleset community, service http; reference:bugtraq,4278; reference:cve,2002-0434; reference:nessus,11017; classtype:misc-attack; sid:1815; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directory.php access"; flow:to_server,established; content:"/directory.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; pcre:"/^Authorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; metadata:ruleset community, service http; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; pcre:"/^Authorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; metadata:ruleset community, service http; reference:nessus,11018; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-attack; sid:1817; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"SERVER-OTHER Alcatel PABX 4400 connection attempt"; flow:to_server,established; content:"|00 01|C"; depth:3; metadata:ruleset community; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Net.Commerce orderdspc.d2w access"; flow:to_server,established; content:"/ncommerce3/ExecMacro/orderdspc.d2w"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:15;)
@@ -1241,9 +1241,9 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm af.cgi directory traversal attempt"; flow:to_server,established; content:"/af.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm alienform.cgi access"; flow:to_server,established; content:"/alienform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm af.cgi access"; flow:to_server,established; content:"/af.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WEB-INF access"; flow:to_server,established; content:"/WEB-INF"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WEB-INF access"; flow:to_server,established; content:"/WEB-INF"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat servlet mapping cross site scripting attempt"; flow:to_server,established; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; metadata:ruleset community, service http; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet Search directory traversal attempt"; flow:to_server,established; content:"/search"; nocase; http_uri; content:"NS-query-pat="; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:ruleset community, service http; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet Search directory traversal attempt"; flow:to_server,established; content:"/search"; nocase; http_uri; content:"NS-query-pat="; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat TroubleShooter servlet access"; flow:to_server,established; content:"/examples/servlet/TroubleShooter"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat SnoopServlet servlet access"; flow:to_server,established; content:"/examples/servlet/SnoopServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jigsaw dos attempt"; flow:to_server,established; content:"/servlet/con"; http_uri; pcre:"/\x2Fcon\b/Ui"; metadata:ruleset community, service http; reference:bugtraq,5258; reference:cve,2002-1052; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:12;)
@@ -1253,7 +1253,7 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH server banner overflow"; flow:to_client,established; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism"; metadata:ruleset community; reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailman cross site scripting attempt"; flow:to_server,established; content:"/mailman/"; nocase; http_uri; content:"?"; http_uri; content:"info="; http_uri; content:"<script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5298; reference:cve,2002-0855; reference:nessus,14984; classtype:web-application-attack; sid:1839; rev:14;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Javascript document.domain attempt"; flow:to_client,established; file_data; content:"document.domain|28|"; nocase; metadata:ruleset community, service http; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:15;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_client,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service http; reference:bugtraq,5293; reference:cve,2002-2314; reference:url,osvdb.org/show/osvdb/60255; classtype:attempted-user; sid:1841; rev:17;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_client,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service http; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:1841; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,13727; reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2004-1011; reference:cve,2005-1255; reference:cve,2006-5961; reference:cve,2007-1373; reference:cve,2007-2795; reference:cve,2007-3925; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:34;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"MALWARE-BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:18;)
@@ -1271,9 +1271,9 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP robot.txt access"; flow:to_server,established; content:"/robot.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; http_uri; metadata:ruleset community, service http; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Oracle JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community; reference:nessus,10995; classtype:default-login-attempt; sid:1859; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH"; metadata:ruleset community, service http; reference:nessus,10999; classtype:default-login-attempt; sid:1860; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default username and password login attempt"; flow:to_server,established; content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; metadata:ruleset community; reference:nessus,10999; classtype:default-login-attempt; sid:1861; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Oracle JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community, service http; reference:nessus,10995; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1859; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH"; metadata:ruleset community, service http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1860; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default username and password login attempt"; flow:to_server,established; content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; metadata:ruleset community, service http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1861; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mrtg.cgi directory traversal attempt"; flow:to_server,established; content:"/mrtg.cgi"; http_uri; content:"cfg=/../"; metadata:ruleset community, service http; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi arbitrary command attempt"; flow:to_server,established; content:"/webdist.cgi"; nocase; http_uri; content:"distloc=|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:12;)
@@ -1282,25 +1282,25 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive Story story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; metadata:ruleset community, service http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive Story story.pl access"; flow:to_server,established; content:"/story.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP siteUserMod.cgi access"; flow:to_server,established; content:"/.cobalt/siteUserMod/siteUserMod.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle XSQLConfig.xml access"; flow:to_server,established; content:"/XSQLConfig.xml"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; content:"/dms0"; http_uri; metadata:ruleset community, service http; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP globals.jsa access"; flow:to_server,established; content:"/globals.jsa"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; metadata:ruleset community, service http; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle XSQLConfig.xml access"; flow:to_server,established; content:"/XSQLConfig.xml"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; content:"/dms0"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP globals.jsa access"; flow:to_server,established; content:"/globals.jsa"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgicso access"; flow:to_server,established; content:"/cgicso"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6141; reference:cve,2002-1652; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-publish.cgi access"; flow:to_server,established; content:"/nph-publish.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP printenv access"; flow:to_server,established; content:"/printenv"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP book.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/book.cgi"; fast_pattern:only; http_uri; content:"current=|7C|"; nocase; metadata:ruleset community, service http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web application server access"; flow:to_server,established; content:"/ows-bin/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web application server access"; flow:to_server,established; content:"/ows-bin/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; metadata:ruleset community, service http; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:13;)
 # alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE id check returned userid"; content:"uid="; nocase; content:" gid="; distance:0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:1882; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:14;)
 # alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 (msg:"MALWARE-CNC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; metadata:ruleset community; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1891; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing community string attempt"; content:"0"; depth:1; content:"|02|"; within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing community string attempt"; content:"0"; depth:1; content:"|02|"; within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:12;)
@@ -1312,28 +1312,28 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699; classtype:attempted-admin; sid:1907; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699; classtype:attempted-admin; sid:1907; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:18;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1916; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:network-scan; sid:1917; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;)
 # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; fast_pattern:only; metadata:ruleset community; classtype:network-scan; sid:1918; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:31;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1922; rev:12;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1923; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP export request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1924; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1923; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP export request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1924; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:1925; rev:12;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1926; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1926; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1927; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; pcre:"/^RETR[^\n]*shadow$/smi"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1928; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; fast_pattern:only; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:16;)
@@ -1343,33 +1343,33 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:1938; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hardware address length overflow"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,6,2; metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp invalid hardware type"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,7,1; metadata:ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hardware address length overflow"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,6,2; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp invalid hardware type"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,7,1; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:9;)
 # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:24;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /Carello/add.exe access"; flow:to_server,established; content:"/Carello/add.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ecscripts/ecware.exe access"; flow:to_server,established; content:"/ecscripts/ecware.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; metadata:ruleset community; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; metadata:ruleset community; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; metadata:ruleset community, service http; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; metadata:ruleset community, service http; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1949; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1950; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1950; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:cve,1999-0210; classtype:attempted-recon; sid:1951; rev:11;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1952; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1953; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1955; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1959; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1959; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1960; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1961; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1961; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1962; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; reference:cve,2001-0717; classtype:attempted-admin; sid:1965; rev:17;)
-# alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server; content:"gstsearch"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966; rev:10;)
+# alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server; content:"gstsearch"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpbb quick-reply.php arbitrary command attempt"; flow:to_server,established; content:"/quick-reply.php"; http_uri; content:"phpbb_root_path="; metadata:ruleset community, service http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-attack; sid:1967; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpbb quick-reply.php access"; flow:to_server,established; content:"/quick-reply.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-activity; sid:1968; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ion-p access"; flow:to_server,established; content:"/ion-p"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6091; reference:cve,2002-1559; reference:nessus,11729; classtype:web-application-activity; sid:1969; rev:12;)
@@ -1383,12 +1383,12 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1977; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1978; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP perl post attempt"; flow:to_server,established; content:"POST"; depth:4; content:"/perl/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection"; flow:to_server; content:"00"; depth:2; metadata:policy max-detect-ips drop, ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:12;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:11;)
 # alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:11;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:10;)
 # alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:11;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly variant outbound connection attempt"; flow:to_client,established; content:"* Doly trojan v1.5 - Connected."; fast_pattern:only; metadata:impact_flag red, ruleset community, service http; reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd1860193f71829be23922/; classtype:trojan-activity; sid:1985; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly variant outbound connection attempt"; flow:to_client,established; content:"* Doly trojan v1.5 - Connected."; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd1860193f71829be23922/; classtype:trojan-activity; sid:1985; rev:9;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1986; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER xfs overflow attempt"; flow:to_server,established; isdataat:512; content:"B|00 02|"; depth:3; metadata:ruleset community; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:11;)
 # alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1988; rev:11;)
@@ -1405,10 +1405,10 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP edit_image.php access"; flow:to_server,established; content:"/edit_image.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP readmsg.php access"; flow:to_server,established; content:"/readmsg.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smartsearch.cgi access"; flow:to_server,established; content:"/smartsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP remote include path attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"path="; fast_pattern:only; http_uri; pcre:"/path=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability; reference:url,php.net/manual/en/function.include.php; classtype:web-application-attack; sid:2002; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; fast_pattern:only; content:"sock"; content:"send"; metadata:ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:15;)
-# alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; fast_pattern:only; content:"sock"; content:"send"; metadata:ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:14;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:21;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP remote include path attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"path="; fast_pattern:only; http_uri; pcre:"/path=(https?|ftps?|php)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability; reference:url,php.net/manual/en/function.include.php; classtype:web-application-attack; sid:2002; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; fast_pattern:only; content:"sock"; content:"send"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:16;)
+# alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; fast_pattern:only; content:"sock"; content:"send"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:16;)
 # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid user authentication response"; flow:to_client,established; content:"E Fatal error, aborting."; fast_pattern:only; content:"|3A| no such user"; metadata:ruleset community; classtype:misc-attack; sid:2008; rev:9;)
@@ -1418,41 +1418,41 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS missing cvsroot response"; flow:to_client,established; content:"E protocol error|3A| Root request missing"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2012; rev:7;)
 # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid module response"; flow:to_client,established; content:"cvs server|3A| cannot find module"; fast_pattern:only; content:"error"; metadata:ruleset community; classtype:misc-attack; sid:2013; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1892; reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2016; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2018; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2019; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:2019; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2020; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2021; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:2021; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2022; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2023; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:2023; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2026; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:12;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2037; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:rpc-portmap-decode; sid:2037; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2038; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hostname format string attempt"; flow:to_server; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; metadata:ruleset community; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs login attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|00|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2040; rev:7;)
-# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2041; rev:7;)
-# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs accepted login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|01|"; distance:4; metadata:ruleset community; classtype:misc-activity; sid:2042; rev:7;)
-# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; metadata:ruleset community; classtype:misc-activity; sid:2043; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hostname format string attempt"; flow:to_server; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs login attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|00|"; distance:4; metadata:policy max-detect-ips drop, ruleset community; classtype:misc-activity; sid:2040; rev:8;)
+# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|"; distance:4; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2041; rev:9;)
+# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs accepted login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|01|"; distance:4; metadata:policy max-detect-ips drop, ruleset community; classtype:misc-activity; sid:2042; rev:8;)
+# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2043; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY-OTHER PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; classtype:attempted-admin; sid:2044; rev:8;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt UDP"; flow:to_server; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:2046; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:2047; rev:5;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt"; flow:to_server; content:"|02|"; depth:1; metadata:ruleset community; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:8;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; metadata:ruleset community; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:2050; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt"; flow:to_server; content:"|02|"; depth:1; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:2050; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart access"; flow:to_server,established; content:"/cached_feed.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP overflow.cgi access"; flow:to_server,established; content:"/overflow.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq process_bug.cgi access"; flow:to_server,established; content:"/process_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:16;)
@@ -1480,11 +1480,11 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo uploadimage.php access"; flow:to_server,established; content:"/uploadimage.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2076; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo upload.php access"; flow:to_server,established; content:"/upload.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2077; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB privmsg.php access"; flow:to_server,established; content:"/privmsg.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6634; reference:cve,2003-1530; classtype:web-application-activity; sid:2078; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2079; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2079; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2080; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:14;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2085; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2086; rev:14;)
@@ -1493,9 +1493,9 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:cve,1999-0208; classtype:misc-attack; sid:2089; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; http_header; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; http_header; metadata:ruleset community, service http; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2090; rev:22;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; metadata:ruleset community, service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:16;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36564; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2092; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2093; rev:12;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,36564; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2092; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2093; rev:13;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:14;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response"; flow:to_client,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:ruleset community; reference:mcafee,10566; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:ruleset community; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:2101; rev:23;)
@@ -1522,10 +1522,10 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"MALWARE-BACKDOOR Remote PC Access connection"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:ruleset community; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD Root directory traversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ikonboard.cgi access"; flow:to_server,established; content:"/ikonboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP swsrv.cgi access"; flow:to_server,established; content:"/swsrv.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS nsiislog.dll access"; flow:to_server,established; content:"/nsiislog.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-018; classtype:web-application-activity; sid:2129; rev:25;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS nsiislog.dll access"; flow:to_server,established; content:"/nsiislog.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-018; classtype:web-application-activity; sid:2129; rev:26;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect siteadmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/SiteAdmin.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; content:"/en/admin/aggregate.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:14;)
@@ -1541,8 +1541,8 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shoutbox.php access"; flow:to_server,established; content:"/shoutbox.php"; fast_pattern; nocase; http_uri; content:"conf="; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:ruleset community, service http; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php access"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password admin attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=admin"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=12345"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password admin attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=admin"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2145; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=12345"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2146; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:ruleset community, service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BLNews objects.inc.php4 access"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Turba status.php access"; flow:to_server,established; content:"/turba/status.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:13;)
@@ -1556,10 +1556,10 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:14;)
 # alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:12;)
 # alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; metadata:ruleset community, service netbios-ssn; classtype:attempted-recon; sid:2176; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:ruleset community; classtype:attempted-recon; sid:2177; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2176; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2177; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:23;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490; reference:url,osvdb.org/show/osvdb/33813; classtype:misc-attack; sid:2179; rev:15;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490; classtype:misc-attack; sid:2179; rev:16;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community, service http; classtype:policy-violation; sid:2180; rev:10;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"|3A|"; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/^\s*Content-Transfer-Encoding\s*\x3A[^\n]{100}/mi"; metadata:ruleset community, service smtp; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:16;)
@@ -1595,14 +1595,14 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif M. Wright simplestmail.cgi access"; flow:to_server,established; content:"/simplestmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiCentral WebStore ws_mail.cgi access"; flow:to_server,established; content:"/ws_mail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Infinity CGI exploit scanner nph-exploitscanget.cgi access"; flow:to_server,established; content:"/nph-exploitscanget.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:20;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CGIScript.net csNews.cgi access"; flow:to_server,established; content:"/csNews.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4994; reference:cve,2002-0923; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CGIScript.net csNews.cgi access"; flow:to_server,established; content:"/csNews.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4994; reference:cve,2002-0923; reference:cve,2002-1751; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Psunami Bulletin Board psunami.cgi access"; flow:to_server,established; content:"/psunami.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys BEFSR41 gozila.cgi access"; flow:to_server,established; content:"/gozila.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pmachine remote file include attempt"; flow:to_server,established; content:"lib.inc.php"; fast_pattern; nocase; http_uri; content:"pm_path="; http_uri; pcre:"/pm_path=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP forum_details.php access"; flow:to_server,established; content:"forum_details.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; content:"db_details_importdocsql.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP viewtopic.php access"; flow:to_server,established; content:"/viewtopic.php"; fast_pattern; nocase; http_uri; content:"days="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:15;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cGFzc3dvcmQ"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smiH"; metadata:ruleset community, service http; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cGFzc3dvcmQ"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smiH"; metadata:ruleset community, service http; reference:nessus,11737; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:2230; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP register.dll access"; flow:to_server,established; content:"/register.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ContentFilter.dll access"; flow:to_server,established; content:"/ContentFilter.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SFNofitication.dll access"; flow:to_server,established; content:"/SFNofitication.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:13;)
@@ -1624,10 +1624,10 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /pcadmin/login.asp access"; flow:to_server,established; content:"/pcadmin/login.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:22;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:ruleset community, service smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046; classtype:attempted-admin; sid:2253; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046; classtype:attempted-admin; sid:2253; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community, service sunrpc; classtype:misc-attack; sid:2256; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:misc-attack; sid:2256; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; pcre:"/^EXPN[^\n]{255}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:17;)
@@ -1643,9 +1643,9 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:cve,2003-0694; reference:nessus,11499; classtype:attempted-admin; sid:2270; rev:18;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:ruleset community; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; fast_pattern:only; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; reference:nessus,11912; classtype:misc-attack; sid:2272; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login brute force attempt"; flow:to_server,established,no_stream; content:"LOGIN"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; classtype:suspicious-login; sid:2273; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login brute force attempt"; flow:to_server,established,no_stream; content:"USER"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service pop3; classtype:suspicious-login; sid:2274; rev:10;)
-# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL AUTH LOGON brute force attempt"; flow:to_client,established,no_stream; content:"Authentication unsuccessful"; offset:54; nocase; detection_filter:track by_dst, count 5, seconds 60; metadata:ruleset community, service smtp; classtype:suspicious-login; sid:2275; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login brute force attempt"; flow:to_server,established,no_stream; content:"LOGIN"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2273; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login brute force attempt"; flow:to_server,established,no_stream; content:"USER"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service pop3; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2274; rev:11;)
+# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL AUTH LOGON brute force attempt"; flow:to_client,established,no_stream; content:"Authentication unsuccessful"; offset:54; nocase; detection_filter:track by_dst, count 5, seconds 60; metadata:ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2275; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle portal demo access"; flow:to_server,established; content:"/pls/portal/PORTAL_DEMO"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; content:"/psdoccgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HTTP request with negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,16354; reference:bugtraq,17879; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; reference:cve,2005-3653; reference:cve,2006-2162; reference:cve,2006-3655; reference:cve,2014-9192; reference:cve,2015-5343; reference:cve,2017-1000470; classtype:misc-attack; sid:2278; rev:33;)
@@ -1690,16 +1690,16 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS sgdynamo.exe access"; flow:to_server,established; content:"/sgdynamo.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bsml.pl access"; flow:to_server,established; content:"/bsml.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP authentication_index.php access"; flow:to_server,established; content:"/authentication_index.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:15;)
-# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL probe response overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; metadata:ruleset community; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:14;)
+# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL probe response overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth overflow attempt"; flow:to_server,established; content:"AUTH"; isdataat:368,relative; content:!"|0A|"; within:368; metadata:ruleset community, service imap; reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910; classtype:misc-attack; sid:2330; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD format string attempt"; flow:to_server,established; content:"MKD"; fast_pattern:only; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; fast_pattern:only; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:9;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi"; metadata:ruleset community; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi"; metadata:ruleset community; reference:bugtraq,9072; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2334; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP RMD / attempt"; flow:to_server,established; content:"RMD"; fast_pattern:only; pcre:"/^RMD\s+\x2f$/smi"; metadata:ruleset community; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:10;)
-# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow attempt"; flow:to_server; content:"|00|"; depth:1; byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|"; within:100; distance:2; metadata:ruleset community; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184; reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:22;)
+# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow attempt"; flow:to_server; content:"|00|"; depth:1; byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|"; within:100; distance:2; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184; reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,14339; reference:bugtraq,33454; reference:bugtraq,58247; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:cve,2004-1992; reference:cve,2005-2373; reference:cve,2007-0019; reference:cve,2009-0351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-003; classtype:misc-attack; sid:2338; rev:35;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL command attempt"; flow:to_server; content:"|00 00|"; depth:2; metadata:ruleset community; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL command attempt"; flow:to_server; content:"|00 00|"; depth:2; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:200,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-Portal remote file include editor script attempt"; flow:to_server,established; content:"/library/editor/editor.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:ruleset community, service http; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-Portal remote file include lib script attempt"; flow:to_server,established; content:"/library/lib.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:ruleset community, service http; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:13;)
@@ -1731,12 +1731,12 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"MALWARE-CNC DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; metadata:ruleset community; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP first payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:8;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:8;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP third payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:9;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt"; flow:to_server,established; content:"|3A|/"; offset:11; http_uri; pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; metadata:ruleset community, service http; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP first payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP third payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:10;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt"; flow:to_server,established; content:"|3A|/"; offset:11; http_uri; pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2382; rev:25;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2383; rev:26;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NTLM ASN1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:20; nocase; http_header; content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; within:100; http_header; metadata:ruleset community, service http; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:attempted-dos; sid:2386; rev:23;)
@@ -1758,23 +1758,23 @@ alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flo
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2403; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2404; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phptest.php access"; flow:to_server,established; content:"/phptest.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9737; reference:cve,2004-2374; classtype:web-application-activity; sid:2405; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2406; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP util.pl access"; flow:to_server,established; content:"/util.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9748; reference:cve,2004-2379; classtype:web-application-activity; sid:2407; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Power Board search.pl access"; flow:to_server,established; content:"/search.pl"; http_uri; content:"st="; nocase; metadata:ruleset community, service http; reference:bugtraq,9766; reference:cve,2004-0338; classtype:web-application-activity; sid:2408; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,9794; reference:cve,2004-2375; classtype:attempted-admin; sid:2409; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; content:"/page.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-WEBAPP RealNetworks RealSystem Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; metadata:ruleset community; reference:bugtraq,8476; reference:cve,2003-0725; reference:nessus,11642; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:16;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:ruleset community; classtype:successful-user; sid:2412; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP delete hash with empty hash attempt"; flow:to_server; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; metadata:ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:15;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP delete hash with empty hash attempt"; flow:to_server; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; pcre:"/^MDTM \d+[-+]\D/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:13;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,15352; reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074; reference:cve,2007-1195; reference:cve,2009-4769; reference:url,osvdb.org/show/osvdb/33813; classtype:string-detect; sid:2417; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,15352; reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074; reference:cve,2007-1195; reference:cve,2009-4769; classtype:string-detect; sid:2417; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; metadata:ruleset community; reference:cve,2001-0663; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:attempted-dos; sid:2418; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; content:".ra"; fast_pattern:only; http_uri; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:28;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:30;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; content:".rt"; fast_pattern:only; http_uri; pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:29;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; content:".rp"; fast_pattern:only; http_uri; pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; content:".ra"; fast_pattern:only; http_uri; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:33;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; content:".rt"; fast_pattern:only; http_uri; pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; content:".rp"; fast_pattern:only; http_uri; pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:30;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; fast_pattern:only; pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2424; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; fast_pattern:only; pcre:"/^senduuname\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2425; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP version overflow attempt"; flow:to_server,established; content:"version"; fast_pattern:only; pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2426; rev:13;)
@@ -1784,16 +1784,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNet
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; fast_pattern:only; pcre:"/^newgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2430; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; fast_pattern:only; pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2431; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; fast_pattern:only; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; metadata:ruleset community; classtype:attempted-admin; sid:2432; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; metadata:ruleset community; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:12;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft emf file download request"; flow:to_server,established; content:".emf"; fast_pattern:only; http_uri; pcre:"/\x2eemf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.emf; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, ruleset community, service http; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:2435; rev:33;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; content:".wmf"; fast_pattern:only; http_uri; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wmf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; content:".wmf"; fast_pattern:only; http_uri; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:31;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"application/smi"; fast_pattern; nocase; http_header; file_data; content:"file|3A|javascript|3A|"; pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi"; metadata:ruleset community, service http; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:20;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2438; rev:23;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2439; rev:23;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2440; rev:23;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"login=0"; nocase; http_cookie; metadata:ruleset community, service http; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:14;)
-# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:ruleset community; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:15;)
+# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ServletManager access"; flow:to_server,established; content:"/servlet/ServletManager"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP setinfo.hts access"; flow:to_server,established; content:"/setinfo.hts"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9973; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9953; reference:cve,2004-1883; reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:12;)
@@ -1814,21 +1814,21 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert ip any any -> any any (msg:"SERVER-OTHER Ethereal EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:2474; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP source.jsp access"; flow:to_server,established; content:"/source.jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:9;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,9916; reference:cve,2004-0363; reference:url,osvdb.org/show/osvdb/6249; classtype:attempted-user; sid:2485; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|"; depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:ruleset community; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-user; sid:2485; rev:19;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|"; depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME content-type buffer overflow"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME content-disposition buffer overflow"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1040,relative; content:!"</STREAMQUOTE>"; within:1040; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2489; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2490; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2508; rev:24;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:ruleset community, service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:21;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:22;)
 # alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP spoofed connection reset attempt"; flow:established,no_stream; flags:RSF*; detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset community; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; metadata:ruleset community; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-activity; sid:2547; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,9972; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin setinfo access attempt"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9972; reference:cve,2004-1856; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; fast_pattern:only; content:"WriteToFile"; nocase; metadata:ruleset community; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:6;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xm; file_data; content:"Extended Module|3A 20|"; nocase; byte_test:1,!=,26,20,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1896; reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user; sid:2550; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xm; file_data; content:"Extended Module|3A 20|"; nocase; byte_test:1,!=,26,20,relative; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1896; reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user; sid:2550; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:7;)
@@ -1840,9 +1840,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; fast_pattern:only; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; metadata:ruleset community; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; metadata:ruleset community; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:8;)
-# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata:ruleset community, service netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:7;)
-# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; metadata:ruleset community, service netbios-ns; reference:bugtraq,10335; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; metadata:ruleset community, service http; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:9;)
+# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:8;)
+# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,10335; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP modules.php access"; flow:to_server,established; content:"/modules.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9879; reference:cve,2004-1817; classtype:web-application-activity; sid:2565; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPBB viewforum.php access"; flow:to_server,established; content:"/viewforum.php"; nocase; http_uri; content:"topic_id="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9865; reference:bugtraq,9866; reference:cve,2004-1809; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Emumail init.emu access"; flow:to_server,established; content:"/init.emu"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:16;)
@@ -1856,17 +1856,17 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Opt-X header.php remote file include attempt"; flow:to_server,established; content:"/header.php"; nocase; http_uri; content:"systempath="; fast_pattern:only; pcre:"/systempath=(https?|ftps?|php)/i"; metadata:ruleset community, service http; reference:bugtraq,9732; reference:cve,2004-2368; classtype:web-application-attack; sid:2575; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:9;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; pcre:"/^Location\x3a(\s*|\s*\r?\n\s+)*URL\s*\x3a/smiH"; metadata:ruleset community, service http; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow UDP"; flow:to_server; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:7;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow UDP"; flow:to_server; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:policy max-detect-ips drop, ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:8;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP server negative Content-Length attempt"; flow:to_client,established; content:"Content-Length"; nocase; pcre:"/^Content-Length\s*\x3a\s*-\d+/mi"; metadata:ruleset community, service http; reference:bugtraq,10508; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; content:"/crystalimagehandler.aspx"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt"; flow:to_server,established; content:"/crystalimagehandler"; fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:17;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:ruleset community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt"; flow:to_server,established; content:"/crystalimagehandler"; fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:18;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:9;)
 # alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:ruleset community; reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:9;)
 # alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server response"; flow:established,to_client; content:"Server|3A| eMule"; fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TUTOS path disclosure attempt"; flow:to_server,established; content:"/note_overview.php"; http_uri; content:"id="; metadata:ruleset community, service http; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:10;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH"; metadata:ruleset community, service http; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-024; classtype:attempted-user; sid:2589; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-024; classtype:attempted-user; sid:2589; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Basic"; within:50; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smiH"; metadata:ruleset community, service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2597; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smi"; metadata:ruleset community, service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2598; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2599; rev:7;)
@@ -1894,14 +1894,14 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:5;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; metadata:ruleset community; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:4;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2645; rev:5;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000; metadata:ruleset community; reference:cve,2002-0965; classtype:attempted-user; sid:2649; rev:7;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2002-0965; classtype:attempted-user; sid:2649; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000; metadata:ruleset community; reference:bugtraq,6849; reference:cve,2003-0095; reference:url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:6;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community; reference:bugtraq,9587; reference:cve,2003-1208; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:6;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2652; rev:6;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; content:"/modules.php"; nocase; http_uri; content:"name=Forums"; content:"file=viewtopic"; fast_pattern:only; pcre:"/forum=.*'/"; metadata:ruleset community, service http; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; fast_pattern:only; content:"ExecuteFile"; nocase; metadata:ruleset community; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:ruleset community, service ssl; reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin; sid:2656; rev:21;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:2,>,32,9; metadata:ruleset community, service ssl; classtype:attempted-admin; sid:2657; rev:19;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin; sid:2656; rev:22;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:2,>,32,9; metadata:policy max-detect-ips drop, ruleset community, service ssl; classtype:attempted-admin; sid:2657; rev:20;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUpGold instancename overflow attempt"; flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern:only; http_uri; content:"instancename="; nocase; http_uri; isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]{513}/Usmi"; metadata:ruleset community, service http; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:ruleset community, service imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2664; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:13;)
@@ -2155,12 +2155,12 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:4;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:4;)
 # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:4;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:12;)
 # alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community; classtype:unsuccessful-user; sid:2923; rev:14;)
 # alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community, service netbios-ssn; classtype:unsuccessful-user; sid:2924; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV base directory manipulation"; flow:to_server,established; content:"_conf.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2926; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:2927; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i"; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:2927; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt"; flow:to_server,established; dce_iface:2f5f3220-c126-1076-b549-074d078619da; dce_opnum:12; dce_stub_data; isdataat:256; content:!"|00|"; depth:256; offset:12; metadata:ruleset community, service netbios-ssn; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2936; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt"; flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:24; metadata:ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2942; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3000; rev:11;)
@@ -2169,7 +2169,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3003; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3004; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3005; rev:12;)
-# alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; metadata:ruleset community; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:6;)
+# alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP command overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|EXAMINE|EXPUNGE|FETCH|LIST|RENAME|SEARCH|SELECT|STATUS|SUBSCRIBE|UNSUBSCRIBE)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11675; reference:bugtraq,11775; reference:bugtraq,15006; reference:bugtraq,15753; reference:cve,2004-1211; reference:cve,2005-0707; reference:cve,2005-1520; reference:cve,2005-2923; reference:cve,2005-3155; reference:nessus,15771; classtype:misc-attack; sid:3007; rev:21;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11675; reference:cve,2005-1520; reference:nessus,15771; classtype:misc-attack; sid:3008; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3009; rev:8;)
@@ -2180,7 +2180,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Asylum 0.1 connection"; flow:to_client,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; metadata:ruleset community; classtype:misc-activity; sid:3014; rev:10;)
 # alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network 4.0 connection"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset community; classtype:misc-activity; sid:3015; rev:10;)
 # alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network 4.0 connection port 63536"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset community; classtype:misc-activity; sid:3016; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:ruleset community, service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:3017; rev:16;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:policy max-detect-ips drop, ruleset community, service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:3017; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:6;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:6;)
@@ -2230,7 +2230,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP APPEND overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,2006-6425; reference:nessus,15867; classtype:misc-attack; sid:3066; rev:16;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:11;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15491; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3071; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP STATUS overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,13727; reference:bugtraq,14243; reference:bugtraq,15491; reference:cve,2004-1211; reference:cve,2005-1256; reference:cve,2005-2278; reference:cve,2005-3314; reference:cve,2017-1274; reference:nessus,15867; classtype:misc-attack; sid:3072; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:17;)
@@ -2238,66 +2238,66 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microso
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3075; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP UNSUBSCRIBE overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:cve,2004-1211; reference:cve,2005-3189; reference:nessus,15867; classtype:attempted-admin; sid:3076; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,14339; classtype:attempted-admin; sid:3077; rev:9;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH|20|"; depth:7; nocase; isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:3078; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH|20|"; depth:7; nocase; isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:3078; rev:12;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; content:"anih"; distance:0; nocase; byte_test:4,>,36,0,relative,little; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:25;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|"; fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; metadata:ruleset community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:8;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|"; fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:9;)
 alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3081; rev:13;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3082; rev:13;)
 # alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:ruleset community; classtype:misc-activity; sid:3083; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"SERVER-OTHER Veritas backup overflow attempt"; flow:to_server,established; content:"|02 00|"; depth:2; content:"|00|"; within:1; distance:1; isdataat:72; content:!"|00|"; depth:66; offset:6; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,11974; reference:cve,2004-1172; classtype:attempted-admin; sid:3084; rev:15;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_client,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service http; reference:bugtraq,10889; reference:cve,2004-0636; reference:url,osvdb.org/show/osvdb/8398; classtype:misc-attack; sid:3085; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_client,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; content:"/app_sta.stm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,11408; reference:cve,2004-1596; classtype:web-application-activity; sid:3086; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; content:"/w3who.dll?"; nocase; http_uri; pcre:"/w3who\.dll\x3F[^\r\n]{519}/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:19;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established; file_data; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; metadata:ruleset community, service http; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; metadata:ruleset community; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:9;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:10;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt"; flow:to_server,established; dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; dce_opnum:0; dce_stub_data; byte_test:4,>,52,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3114; rev:19;)
 # alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"PUA-OTHER Microsoft MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; metadata:ruleset community; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3130; rev:8;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailman directory traversal attempt"; flow:to_server,established; content:"/mailman/"; http_uri; content:".../"; http_raw_uri; metadata:ruleset community, service http; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:10;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3132; rev:15;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products PNG large image height download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,4,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3133; rev:15;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft PNG large colour depth download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3134; rev:14;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3135; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3140; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3141; rev:10;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3135; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3140; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3141; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:11;)
 # alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3143; rev:17;)
 # alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3144; rev:17;)
 # alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3145; rev:16;)
 # alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3146; rev:18;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:13;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:20;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer 5/6 object type overflow attempt"; flow:to_client,established; file_data; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; metadata:ruleset community, service http; reference:cve,2003-0344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-020; classtype:attempted-user; sid:3149; rev:12;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:policy max-detect-ips drop, ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:21;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt"; flow:to_client,established; file_data; content:"object"; nocase; content:"type"; within:200; nocase; content:"////////////////////////////////"; fast_pattern:only; pcre:"/object\s[^>]*type\s*=\s*[\x22\x27][^\x22\x27]*\x2f{32}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2003-0344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-020; classtype:attempted-user; sid:3149; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; content:"contenttype="; http_uri; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; metadata:ruleset community, service http; reference:bugtraq,5004; reference:cve,2002-0186; reference:nessus,11304; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-030; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;)
-# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login attempt"; flow:to_client,established,no_stream; content:"Login failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:10;)
+# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login attempt"; flow:to_client,established,no_stream; content:"Login failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3152; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:12;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"MALWARE-BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:ruleset community; classtype:trojan-activity; sid:3155; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3158; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service dcerpc; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3159; rev:16;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3159; rev:17;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt"; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3171; rev:15;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player directory traversal via Content-Disposition attempt"; flow:to_client,established; content:".wmz"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A|"; nocase; http_header; content:"filename="; nocase; http_header; pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset community, service http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017; classtype:attempted-user; sid:3192; rev:19;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cmd executable file parsing attack"; flow:to_server,established; content:".cmd|22|"; nocase; http_uri; pcre:"/\x2ecmd\x22.*?\x26/smUi"; metadata:ruleset community, service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:17;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .bat executable file parsing attack"; flow:to_server,established; content:".bat|22|"; nocase; http_uri; pcre:"/\x2ebat\x22.*?\x26/Usmi"; metadata:ruleset community, service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3195; rev:10;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3196; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199; rev:11;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200; rev:12;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3195; rev:11;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3196; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199; rev:12;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS httpodbc.dll access - nimda"; flow:to_server,established; content:"/httpodbc.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:14;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt"; flow:to_server,established; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:15; dce_stub_data; byte_test:2,>,1024,20,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3218; rev:23;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:5;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; metadata:ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:5;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:6;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:6;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt"; flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3238; rev:15;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3239; rev:14;)
-# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:9;)
-# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:12;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397; rev:17;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service dcerpc; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3398; rev:16;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:to_server,established; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,dce; metadata:ruleset community, service dcerpc, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0528; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3409; rev:17;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3239; rev:15;)
+# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3273; rev:10;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; metadata:policy max-detect-ips drop, ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397; rev:18;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3398; rev:17;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:to_server,established; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0528; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3409; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,126; reference:cve,1999-0017; reference:nessus,10081; classtype:misc-attack; sid:3441; rev:13;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-WINDOWS Microsoft Windows TCP print service overflow attempt"; flow:to_server,established; pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|"; within:497; content:"|0A|"; within:497; metadata:ruleset community; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-021; classtype:attempted-dos; sid:3442; rev:11;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup system info probe"; flow:to_server,established; content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3453; rev:9;)
@@ -2310,194 +2310,195 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FI
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST with numeric argument"; flow:to_server,established; content:"REST"; fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community, service ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,44732; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3461; rev:18;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]{300}/mi"; metadata:ruleset community, service smtp; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3462; rev:14;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats access"; flow:to_server,established; content:"/awstats.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-activity; sid:3463; rev:14;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats access"; flow:to_server,established; content:"/awstats.pl"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-activity; sid:3463; rev:15;)
 # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats.pl command execution attempt"; flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"update="; http_uri; pcre:"/update=[^\r\n\x26]+/Ui"; content:"logfile="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; metadata:ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-attack; sid:3464; rev:12;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4692; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-065; classtype:misc-activity; sid:8445; rev:16;)
-# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; content:".rtf"; fast_pattern:only; http_uri; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:22;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BMP file download request"; flow:to_server,established; content:".bmp"; fast_pattern:only; http_uri; pcre:"/\x2ebmp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:16205; rev:20;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4692; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-065; classtype:misc-activity; sid:8445; rev:17;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; content:".rtf"; fast_pattern:only; http_uri; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BMP file download request"; flow:to_server,established; content:".bmp"; fast_pattern:only; http_uri; pcre:"/\x2ebmp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:16205; rev:23;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hydraq variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/#/file/9051f618a5a8253a003167e65ce1311fa91a8b70d438a384be48b02e73ba855c/detection; classtype:trojan-activity; sid:16368; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpg"; fast_pattern:only; http_uri; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:17;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpeg"; fast_pattern:only; http_uri; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpg"; fast_pattern:only; http_uri; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpeg"; fast_pattern:only; http_uri; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:20;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; content:".exe"; fast_pattern:only; http_uri; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:24;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16474; rev:24;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16474; rev:27;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16475; rev:18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; http_uri; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:17;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:17314; rev:24;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; content:".png"; fast_pattern:only; http_uri; pcre:"/\x2epng([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:17380; rev:20;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; content:".xml"; fast_pattern:only; http_uri; pcre:"/\x2exml([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:17733; rev:15;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB TRANS2 Find_First2 request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:18; content:"|00 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:17745; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request"; flow:established,to_server; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|10 00|"; depth:2; offset:65; flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:19190; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; content:".zip"; fast_pattern:only; http_uri; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:19211; rev:20;)
-# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products blacknurse ICMP denial of service attempt"; icode:3; itype:3; detection_filter:track by_src,count 250,seconds 1; metadata:ruleset community; reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:19678; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 (msg:"MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection"; flow:to_server,established; content:"|00 00 00 01 00 00 00|"; depth:7; offset:1; content:"|01 00 00 00 68 01 00 00|"; within:8; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file-scan/report.html?id=6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b0-1314630371; reference:url,www.virustotal.com/file-scan/report.html?id=705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe-1314630371; classtype:trojan-activity; sid:20080; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header; content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri; content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file-scan/report.html?id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2-1303397086; classtype:trojan-activity; sid:20221; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; content:".smi"; fast_pattern:only; http_uri; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:ruleset community, service http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; reference:url,osvdb.org/show/osvdb/74604; classtype:misc-activity; sid:20223; rev:21;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request"; flow:to_server,established; content:"_helper.jar"; fast_pattern:only; pcre:"/agent_(win|lin|mac)_helper\.jar$/siU"; flowbits:set,file.jar.agent_helper; flowbits:noalert; metadata:ruleset community, service http; reference:cve,2011-1969; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:misc-activity; sid:20260; rev:17;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20463; rev:23;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20464; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20465; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20466; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20467; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20468; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20469; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20478; rev:19;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20480; rev:18;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20483; rev:19;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20486; rev:20;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20494; rev:16;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:20621; rev:15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; http_uri; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:20;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:17314; rev:27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; content:".png"; fast_pattern:only; http_uri; pcre:"/\x2epng([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:17380; rev:23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; content:".xml"; fast_pattern:only; http_uri; pcre:"/\x2exml([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:17733; rev:18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB TRANS2 Find_First2 request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:18; content:"|00 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:17745; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request"; flow:established,to_server; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|10 00|"; depth:2; offset:65; flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:19190; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; content:".zip"; fast_pattern:only; http_uri; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:19211; rev:23;)
+# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products blacknurse ICMP denial of service attempt"; icode:3; itype:3; detection_filter:track by_src,count 250,seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:19678; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 (msg:"MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection"; flow:to_server,established; content:"|00 00 00 01 00 00 00|"; depth:7; offset:1; content:"|01 00 00 00 68 01 00 00|"; within:8; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b0/analysis/; reference:url,www.virustotal.com/en/file/705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe/analysis/; classtype:trojan-activity; sid:20080; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header; content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri; content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2/analysis/; classtype:trojan-activity; sid:20221; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; content:".smi"; fast_pattern:only; http_uri; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20223; rev:24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request"; flow:to_server,established; content:"_helper.jar"; fast_pattern:only; pcre:"/agent_(win|lin|mac)_helper\.jar$/siU"; flowbits:set,file.jar.agent_helper; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2011-1969; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:misc-activity; sid:20260; rev:19;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20463; rev:26;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20464; rev:25;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20465; rev:25;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20466; rev:25;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20467; rev:25;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20468; rev:25;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20469; rev:25;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20478; rev:22;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20480; rev:21;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20483; rev:22;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20486; rev:23;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20494; rev:19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:20621; rev:18;)
 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_client,established; content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:20850; rev:17;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_server,established; content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:20851; rev:18;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DIB file download request"; flow:to_server,established; content:".dib"; fast_pattern:only; http_uri; pcre:"/\x2edib([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:20963; rev:13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; content:".sami"; fast_pattern:only; http_uri; pcre:"/\x2esami([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpe"; fast_pattern:only; http_uri; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jif"; fast_pattern:only; http_uri; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jfi"; fast_pattern:only; http_uri; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:11;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21035; rev:14;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21036; rev:15;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betad variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/login.php"; nocase; http_uri; content:"|C9 97 A2 F3 7E 37 CB 7E 27|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file-scan/report.html?id=46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e9-1324042194; classtype:trojan-activity; sid:21230; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DIB file download request"; flow:to_server,established; content:".dib"; fast_pattern:only; http_uri; pcre:"/\x2edib([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:20963; rev:16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; content:".sami"; fast_pattern:only; http_uri; pcre:"/\x2esami([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpe"; fast_pattern:only; http_uri; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jif"; fast_pattern:only; http_uri; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jfi"; fast_pattern:only; http_uri; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:14;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21035; rev:17;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21036; rev:18;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betad variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/login.php"; nocase; http_uri; content:"|C9 97 A2 F3 7E 37 CB 7E 27|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e9/analysis/; classtype:trojan-activity; sid:21230; rev:9;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string DataCha0s"; flow:to_server, established; content:"User-Agent|3A 20|DataCha0s"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.internetofficer.com/web-robot/datacha0s/; classtype:network-scan; sid:21246; rev:6;)
-alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|"; depth:4; content:"0wns j0"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:5;)
-alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:6;)
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|"; depth:4; content:"0wns j0"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:6;)
+alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:7;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC URI - known scanner tool muieblackcat"; flow:to_server, established; content:"/muieblackcat"; nocase; http_uri; pcre:"/\/muieblackcat$/Ui"; metadata:policy security-ips drop, ruleset community, service http; reference:url,serverfault.com/questions/309309/what-is-muieblackcat; classtype:network-scan; sid:21257; rev:4;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Morfeus Scanner"; flow:to_server, established; content:"User|2D|Agent|3A 20|Morfeus|20|Fucking|20|Scanner"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:network-scan; sid:21266; rev:5;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TRENDnet IP Camera anonymous access attempt"; flow:to_server,established; content:"/anony/"; fast_pattern:only; http_uri; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/Ui"; metadata:ruleset community, service http; reference:url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html; reference:url,www.trendnet.com/press/view.asp?id=1958; reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/; classtype:policy-violation; sid:21267; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; content:".xsl"; fast_pattern:only; http_uri; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21282; rev:8;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21283; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21284; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; content:".xslt"; fast_pattern:only; http_uri; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21285; rev:8;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21286; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21287; rev:10;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; within:20; fast_pattern; nocase; http_header; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21288; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TRENDnet IP Camera anonymous access attempt"; flow:to_server,established; content:"/anony/"; fast_pattern:only; http_uri; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html; reference:url,www.trendnet.com/press/view.asp?id=1958; reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/; classtype:policy-violation; sid:21267; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; content:".xsl"; fast_pattern:only; http_uri; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21282; rev:12;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21283; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21284; rev:14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; content:".xslt"; fast_pattern:only; http_uri; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21285; rev:12;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21286; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21287; rev:14;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; within:20; fast_pattern; nocase; http_header; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:21288; rev:14;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent ASafaWeb Scan"; flow:to_server,established; content:"User-Agent|3A| asafaweb.com"; fast_pattern:only; http_header; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde"; flow:to_server,established; content:"/services/javascript.php"; fast_pattern:only; http_uri; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:ruleset community, service http; reference:cve,2012-0209; reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; reference:url,pastebin.com/U3ADiWrP; classtype:web-application-attack; sid:21375; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; content:".paq8o"; fast_pattern:only; http_uri; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21410; rev:12;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21411; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21412; rev:14;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21417; rev:9;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde"; flow:to_server,established; content:"/services/javascript.php"; fast_pattern:only; http_uri; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2012-0209; reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; reference:url,pastebin.com/U3ADiWrP; classtype:web-application-attack; sid:21375; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; content:".paq8o"; fast_pattern:only; http_uri; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:21410; rev:15;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21411; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21412; rev:17;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21417; rev:10;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code="; nocase; content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:7;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - base64 encoded"; flow:to_server,established; content:"GET http|3A 2F 2F|"; depth:11; base64_decode:relative; base64_data; content:"clk="; content:"&bid="; distance:0; content:"&aid="; within:5; distance:40; content:"&sid="; distance:0; content:"&rd="; distance:0; content:"&x86="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:21442; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - base64 encoded"; flow:to_server,established; content:"GET http|3A 2F 2F|"; depth:11; base64_decode:relative; base64_data; content:"clk="; content:"&bid="; distance:0; content:"&aid="; within:5; distance:40; content:"&sid="; distance:0; content:"&rd="; distance:0; content:"&x86="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:21442; rev:6;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TDSS variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B 20|)"; fast_pattern:only; http_header; content:"HOST|3A|"; http_header; content:!"X-BlueCoat-Via"; nocase; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,about-threats.trendmicro.com/Malware.aspx?language=apac&name=TDSS; reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity; sid:21444; rev:13;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string core-project"; flow:to_server, established; content:"User-Agent|3A 20|core-project"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:misc-activity; sid:21475; rev:4;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21480; rev:13;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21480; rev:16;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; content:"try"; content:"prototype"; within:30; content:"}catch("; within:30; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:22;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21498; rev:13;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21499; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21500; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21498; rev:16;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21499; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21500; rev:12;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:5;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21613; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21614; rev:14;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21613; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21614; rev:17;)
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:16;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21695; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21696; rev:11;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21697; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21698; rev:11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; content:".ani"; fast_pattern:only; http_uri; pcre:"/\x2eani([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:21724; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21725; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21726; rev:11;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; flowbits:set,file.ani; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21727; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21728; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21729; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21730; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21731; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21732; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21733; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21734; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21735; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21736; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21737; rev:10;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21738; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21739; rev:11;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21746; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21747; rev:10;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%"; flow:to_server,established; content:"%ALLUSERSPROFILE%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21818; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMDATA%"; flow:to_server,established; content:"%PROGRAMDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21819; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %APPDATA%"; flow:to_server,established; content:"%APPDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21820; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES%"; flow:to_server,established; content:"%COMMONPROGRAMFILES%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21821; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES - x86%"; flow:to_server,established; content:"%COMMONPROGRAMFILES|40|x86|41|%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21822; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMSPEC%"; flow:to_server,established; content:"%COMSPEC%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21823; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEDRIVE%"; flow:to_server,established; content:"%HOMEDRIVE%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21824; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEPATH%"; flow:to_server,established; content:"%HOMEPATH%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21825; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %LOCALAPPDATA%"; flow:to_server,established; content:"%LOCALAPPDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21826; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES%"; flow:to_server,established; content:"%PROGRAMFILES%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21827; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES - X86%"; flow:to_server,established; content:"%PROGRAMFILES|40|X86|41|%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21828; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemDrive%"; flow:to_server,established; content:"%SystemDrive%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21829; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemRoot%"; flow:to_server,established; content:"%SystemRoot%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21830; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TEMP%"; flow:to_server,established; content:"%TEMP%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21831; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TMP%"; flow:to_server,established; content:"%TMP%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21832; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERDATA%"; flow:to_server,established; content:"%USERDATA%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21833; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERNAME%"; flow:to_server,established; content:"%USERNAME%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21834; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERPROFILE%"; flow:to_server,established; content:"%USERPROFILE%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21835; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %WINDIR%"; flow:to_server,established; content:"%WINDIR%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21836; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PUBLIC%"; flow:to_server,established; content:"%PUBLIC%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21837; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PSModulePath%"; flow:to_server,established; content:"%PSModulePath%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21838; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME%"; flow:to_server,established; content:"%COMPUTERNAME%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21839; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER%"; flow:to_server,established; content:"%LOGONSERVER%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21840; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATH%"; flow:to_server,established; content:"%PATH%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21841; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATHEXT%"; flow:to_server,established; content:"%PATHEXT%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21842; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PROMPT%"; flow:to_server,established; content:"%PROMPT%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21843; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN%"; flow:to_server,established; content:"%USERDOMAIN%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:21844; rev:4;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000="; fast_pattern; content:"SL_"; http_cookie; content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21695; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21696; rev:13;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21697; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21698; rev:13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; content:".ani"; fast_pattern:only; http_uri; pcre:"/\x2eani([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; classtype:misc-activity; sid:21724; rev:12;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21725; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21726; rev:13;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21727; rev:12;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21728; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21729; rev:13;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21730; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21731; rev:13;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21732; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21733; rev:13;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21734; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21735; rev:13;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21736; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21737; rev:13;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21738; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21739; rev:14;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21746; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21747; rev:13;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%"; flow:to_server,established; content:"%ALLUSERSPROFILE%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21818; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMDATA%"; flow:to_server,established; content:"%PROGRAMDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21819; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %APPDATA%"; flow:to_server,established; content:"%APPDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21820; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES%"; flow:to_server,established; content:"%COMMONPROGRAMFILES%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21821; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES - x86%"; flow:to_server,established; content:"%COMMONPROGRAMFILES|40|x86|41|%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21822; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMSPEC%"; flow:to_server,established; content:"%COMSPEC%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21823; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEDRIVE%"; flow:to_server,established; content:"%HOMEDRIVE%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21824; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEPATH%"; flow:to_server,established; content:"%HOMEPATH%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21825; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %LOCALAPPDATA%"; flow:to_server,established; content:"%LOCALAPPDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21826; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES%"; flow:to_server,established; content:"%PROGRAMFILES%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21827; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES - X86%"; flow:to_server,established; content:"%PROGRAMFILES|40|X86|41|%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21828; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemDrive%"; flow:to_server,established; content:"%SystemDrive%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21829; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemRoot%"; flow:to_server,established; content:"%SystemRoot%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21830; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TEMP%"; flow:to_server,established; content:"%TEMP%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21831; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TMP%"; flow:to_server,established; content:"%TMP%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21832; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERDATA%"; flow:to_server,established; content:"%USERDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21833; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERNAME%"; flow:to_server,established; content:"%USERNAME%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21834; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERPROFILE%"; flow:to_server,established; content:"%USERPROFILE%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21835; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %WINDIR%"; flow:to_server,established; content:"%WINDIR%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21836; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PUBLIC%"; flow:to_server,established; content:"%PUBLIC%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21837; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PSModulePath%"; flow:to_server,established; content:"%PSModulePath%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21838; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME%"; flow:to_server,established; content:"%COMPUTERNAME%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21839; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER%"; flow:to_server,established; content:"%LOGONSERVER%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21840; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATH%"; flow:to_server,established; content:"%PATH%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21841; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATHEXT%"; flow:to_server,established; content:"%PATHEXT%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21842; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PROMPT%"; flow:to_server,established; content:"%PROMPT%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21843; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN%"; flow:to_server,established; content:"%USERDOMAIN%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21844; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000="; fast_pattern; content:"SL_"; http_cookie; content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:9;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TDS Sutra - request in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21846; rev:9;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&"; within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|default)\b/smi"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:14;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; content:"/in.cgi"; http_header; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; content:"/hi.cgi"; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"302"; http_stat_code; content:"=_"; content:"_|5C 3B| domain="; within:11; distance:1; pcre:"/^[a-z]{5}\d=_\d_/C"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:21856; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:21857; rev:11;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&"; within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|default)\b/smi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:15;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; content:"/in.cgi"; http_header; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:10;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; content:"/hi.cgi"; http_uri; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"302"; http_stat_code; content:"=_"; content:"_|5C 3B| domain="; within:11; distance:1; pcre:"/^[a-z]{5}\d=_\d_/C"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:7;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21856; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21857; rev:14;)
 alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21908; rev:11;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_server,established; content:".exe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21909; rev:12;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21940; rev:13;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XM file download request"; flow:to_server,established; content:".xm"; fast_pattern:only; http_uri; pcre:"/\x2exm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:22043; rev:6;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_client,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:22044; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_server,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:22045; rev:8;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_client,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22046; rev:7;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; fast_pattern:only; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:22061; rev:6;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:ruleset community, service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:10;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:23179; rev:4;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:bad-unknown; sid:23481; rev:4;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:bad-unknown; sid:23482; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XM file download request"; flow:to_server,established; content:".xm"; fast_pattern:only; http_uri; pcre:"/\x2exm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; classtype:misc-activity; sid:22043; rev:8;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_client,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:22044; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_server,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:22045; rev:10;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_client,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22046; rev:9;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; fast_pattern:only; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; classtype:trojan-activity; sid:22061; rev:8;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt"; flow:to_server,established; content:"MKD "; depth:4; isdataat:75,relative; content:!"|0A|"; within:75; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,23885; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2007-2586; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.exploit-db.com/exploits/14399/; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:23055; rev:10;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:23179; rev:5;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:6;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:6;)
 alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:20; content:"|9E 98|"; depth:2; offset:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:5;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:7;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23651; rev:12;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23652; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23653; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23654; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23655; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23656; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23657; rev:13;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23664; rev:14;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23667; rev:11;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23670; rev:11;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23678; rev:11;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23707; rev:13;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:9;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23651; rev:15;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23652; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23653; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23654; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23655; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23656; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23657; rev:16;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23664; rev:17;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23667; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23670; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23678; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23707; rev:16;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23708; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23711; rev:11;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23725; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23758; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23759; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23711; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23725; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23758; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23759; rev:10;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23766; rev:12;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23773; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23773; rev:9;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Magania variant outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; content:".asp?"; content:"mac="; within:4; content:"&ver="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:4;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh"; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24253; rev:6;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24254; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:5;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; flowbits:isnotset,smb.null_session; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24; fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:5;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24455; rev:9;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24456; rev:9;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:24457; rev:8;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:24458; rev:8;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh"; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:bad-unknown; sid:24253; rev:7;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:bad-unknown; sid:24254; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24; fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24455; rev:12;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24456; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:24457; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:24458; rev:11;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; urilen:11; content:"|2F|Config|2E|txt"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; content:".php?ip="; http_uri; content:"&os="; distance:0; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:established,to_server; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative; content:"|01 00|"; within:2; distance:52; content:"|04 01|"; within:2; distance:11; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,0x80,0,relative; content:"|01 00|"; within:2; distance:52; byte_jump:2,-10,relative,little,from_beginning,post_offset 10; content:"|04 01|"; within:2; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:6;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11<>20; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:!"Content-Disposition"; http_client_body; content:"Content-Length: "; nocase; byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:8;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; urilen:95; content:" HTTP/1.0|0D 0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25054; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:3;)
@@ -2508,119 +2509,119 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; content:".gif"; http_uri; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"/default.aspx?ver="; http_uri; content:"&uid="; distance:0; http_uri; content:"|3B 20|MRA|20|5.10|20|"; http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25271; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25359; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25361; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25362; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-"; nocase; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; content:"<ScRiPt>prompt("; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25364; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner XSS attempt"; flow:to_server,established; content:">=|5C|xa2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25365; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25359; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25361; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25362; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-"; nocase; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; content:"<ScRiPt>prompt("; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25364; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner XSS attempt"; flow:to_server,established; content:">=|5C|xa2"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25365; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|"; depth:9; offset:8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; content:"application/octet-stream"; fast_pattern:only; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25513; rev:12;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; content:"application/x-msdos-program"; fast_pattern:only; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25514; rev:12;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25515; rev:11;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPod User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPod"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPod/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25518; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPad User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPad"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPad/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25519; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPhone User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPhone"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPhone/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25520; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"android"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*android/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25521; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Nokia User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nokia"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nokia/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25522; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Samsung User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"Samsung"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*samsung/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25523; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Kindle User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"kindle"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*kindle/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25524; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nintendo"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25525; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/admin/host.php"; fast_pattern:only; http_uri; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound connection"; flow:to_server,established; dsize:4; content:"|9A 02 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPod User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPod"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPod/H"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25518; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPad User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPad"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPad/H"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25519; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPhone User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPhone"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPhone/H"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25520; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"android"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*android/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25521; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Nokia User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nokia"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nokia/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25522; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Samsung User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"Samsung"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*samsung/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25523; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Kindle User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"kindle"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*kindle/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25524; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nintendo"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25525; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/admin/host.php"; fast_pattern:only; http_uri; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:4;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound connection"; flow:to_server,established; isdataat:!5; content:"|9A 02 00 00|"; depth:4; fast_pattern; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:6;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; content:"Accept-Language: en-us|3B 0D 0A|"; http_header; content:"wok5VLG.6"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/js/disable.js?type="; fast_pattern:only; http_uri; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; isdataat:266; isdataat:!276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:8;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Agent YEH variant outbound connection"; flow:to_server,established; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/cmd.php?cmd="; http_uri; content:"arq="; distance:0; http_uri; content:"cmd2="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound connection"; flow:to_server,established; urilen:95<>102; content:"|29 20|Chrome|2F|"; http_header; content:!"|0A|Accept-Encoding|3A 20|"; http_header; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; urilen:18; content:"/listas/out/si.php"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|"; depth:10; offset:24; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|info|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:5;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.ammyy.com; classtype:policy-violation; sid:25947; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.ammyy.com; classtype:policy-violation; sid:25947; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound data connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_header; content:"form-data|3B| name=|22|userfile|22 3B| filename="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/979c14f993a1cd91f1b890f93a59ab5b14e059e056b9cf069222f529e50a4d5f/; reference:url,www.virustotal.com/#/file/ac9aea57da03206b1df12b5c012537c899bf5d67a5eb8113b4a4d99e0a0eb893/; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; urilen:7; content:"/in.php"; http_uri; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"|0A|Content-Length|3A 20|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; urilen:20; content:"/b/n/winrar/tudo.rar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26057; rev:10;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:26058; rev:9;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26057; rev:13;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:26058; rev:12;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; content:"a=select CAMPO from PAGINA where CODIGO = "; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0; http_header; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/H"; pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26106; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; content:"cstype="; depth:7; http_client_body; content:"&authname="; within:48; distance:1; http_client_body; content:"&authpass="; within:48; distance:1; http_client_body; content:"&hostname="; within:48; distance:1; http_client_body; content:"&ostype="; within:256; distance:1; http_client_body; content:"&macaddr="; within:64; distance:16; http_client_body; content:"&owner="; within:48; distance:17; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"|0A|Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:26212; rev:2;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26251; rev:9;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26251; rev:12;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dapato banking Trojan variant outbound connection"; flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:6;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/"; depth:10; nocase; http_uri; content:"${IFS}"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_client_body; content:"%0"; distance:0; http_client_body; pcre:"/(^|&)submit_button=[^&]+%0[^&]/Pim"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26276; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_raw_uri; content:"%0"; distance:0; http_raw_uri; pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26277; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_client_body; content:"%0"; distance:0; http_client_body; pcre:"/(^|&)submit_button=[^&]+%0[^&]/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-admin; sid:26276; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_raw_uri; content:"%0"; distance:0; http_raw_uri; pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-admin; sid:26277; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:6;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:6;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brontok Worm variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST"; depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC file path used as User-Agent - potential Trojan"; flow:to_server,established; content:"User-Agent|3A 20|C:|5C|"; fast_pattern:only; http_header; pcre:"/\.exe$/iU"; pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established; content:"|3B 20|sv|3A|"; http_header; content:"|3B 20|id|3A|"; within:5; distance:1; http_header; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26327; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; content:"/nosignal.jpg?"; fast_pattern:only; http_uri; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26335; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26353; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:26353; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; urilen:8; content:"/ksa.txt"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; content:"op="; depth:3; http_client_body; content:"&nmpc="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service smtp; classtype:trojan-activity; sid:26380; rev:3;)
-# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service ftp-data, service imap, service pop3; classtype:trojan-activity; sid:26381; rev:4;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26382; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; sid:26395; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; classtype:trojan-activity; sid:26380; rev:4;)
+# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service imap, service pop3; classtype:trojan-activity; sid:26381; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26382; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; sid:26395; rev:5;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+"; depth:15; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26410; rev:4;)
-# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:2;)
-# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26412; rev:2;)
-# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26413; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:26410; rev:5;)
+# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:3;)
+# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26412; rev:3;)
+# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26413; rev:3;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Magic variant inbound connection"; flow:to_client,established; file_data; content:"some_magic_code1"; depth:36; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:26467; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Location"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26468; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Refresh"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26469; rev:4;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Location"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26468; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Refresh"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26469; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header; pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26480; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established; content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-activity; sid:26482; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| <SCRIPT>"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| <SCRIPT>"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:3;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:6;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; content:"0aW1lP"; fast_pattern; http_header; content:"/index.php?"; distance:-50; http_header; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; content:"0aW1lP"; fast_pattern; http_header; content:"/index.php?"; distance:-50; http_header; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown malware - Incorrect headers - Referer HTTP/1.0"; flow:to_server,established; content:"Referer: HTTP/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26533; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:6;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/builds/"; nocase; http_uri; content:"fflists.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:misc-activity; sid:26553; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/builds/"; nocase; http_uri; content:"fflists.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:26553; rev:4;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - getcomando POST data"; flow:to_server,established; content:"tipo=getcomando&"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojan-activity; sid:26560; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"&sk1="; fast_pattern:only; http_client_body; content:"bn1="; depth:4; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26561; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-content"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26576; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent Opera 10"; flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; content:"/images/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; content:"/ccbill/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:"</iframe>"; distance:0; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:"</iframe>"; distance:0; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Medfos Trojan variant outbound connection"; flow:to_server,established; content:"/feed?req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE "; http_header; content:!"|0D 0A|Accept-Language:"; http_header; content:!"|0D 0A|Referer:"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; content:"hostid="; http_uri; content:"|26|hostname="; http_uri; content:"|26|hostip="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/login.php"; depth:10; http_uri; content:"Referer|3A| http://www.google.com"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; fast_pattern:only; http_header; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri; content:!"gvt1.com"; http_header; metadata:ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source"; flow:to_server,established; content:!"mozilla"; http_header; content:".xpi"; nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:ruleset community, service http; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:26659; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; content:"|3B| filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only; http_header; file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26660; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri; content:!"gvt1.com"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:5;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source"; flow:to_server,established; content:!"mozilla"; http_header; content:".xpi"; nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:26659; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; content:"|3B| filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only; http_header; file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:26660; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Namihno variant outbound request"; flow:to_server,established; content:"/windows/update/search?hl="; http_uri; content:"&q="; distance:0; http_uri; content:"&meta="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26695; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary="; depth:70; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_header; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - POST Body"; flow:to_server,established; content:"index.php"; http_uri; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"--"; depth:2; http_client_body; pcre:"/filename=\x22\d+\x22\r\n/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; fast_pattern:only; http_header; content:"/count.php?page="; depth:16; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; content:"gate.php|3F|reg="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; fast_pattern:only; http_header; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; content:"gate.php|3F|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/U"; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2;)
@@ -2655,20 +2656,20 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Troja
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|"; depth:9; pcre:"/^slowhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:4;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|"; depth:8; pcre:"/^allhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:4;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|"; depth:5; pcre:"/^full\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Luder variant outbound connection"; flow:to_server,established; content:"/loader.cpl"; fast_pattern:only; http_uri; pcre:"/\/loader\.cpl$/U"; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Luder variant outbound connection"; flow:to_server,established; content:"/loader.cpl"; fast_pattern:only; http_uri; pcre:"/\/loader\.cpl$/U"; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection HTTP Header Structure"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/index.html"; http_uri; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection POST"; flow:to_server,established; content:"POST"; http_method; content:"cmd=gravar&dados="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established; content:"/cos3q/in"; fast_pattern:only; http_uri; content:".exe"; nocase; http_client_body; pcre:"/\x5f\w{24}\.exe/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only; http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26814; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body; content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; content:"Host: www.google.com"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:1;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>"; depth:18; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26837; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26838; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri; pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body; content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3; distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:2;)
@@ -2677,15 +2678,15 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; content:"/forum/search.php?email="; http_uri; content:"&method="; distance:0; http_uri; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; isdataat:141; isdataat:!142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: "; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name="; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; content:"POST"; http_method; content:".php?version="; http_uri; content:"&user="; distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri; content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:3;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;)
@@ -2693,28 +2694,28 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx expl
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:2;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; content:"filename="; http_header; content:"security_cleaner.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:ruleset community, service http; classtype:bad-unknown; sid:27047; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:bad-unknown; sid:27047; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:trojan-activity; sid:27110; rev:7;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2="; distance:0; http_client_body; content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27201; rev:4;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:4;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|"; fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:27204; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound connection"; flow:to_server,established; urilen:111; content:"=="; depth:2; offset:103; content:" HTTP/1.0|0D 0A|Host:"; within:16; distance:10; pcre:"/^\/[a-z\d]{98}\x3d{2}[a-z\d]{10}$/Ui"; content:!"Accept:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27252; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern"; flow:to_server,established; urilen:<34; content:"POST"; http_method; content:"U|3B| MSIE "; http_header; content:"|0D 0A|Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10})?/U"; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e6751621f921ca53cc7e421/analysis/; classtype:trojan-activity; sid:27253; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Yakes Trojan HTTP Header Structure"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".php HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; within:113; pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; pcre:"/[\x2f\x2b\x3d]/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27254; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; offset:6; fast_pattern; http_uri; content:" HTTP/1."; within:11; distance:1; http_header; content:"|0D 0A|User-Agent: Mozilla/"; within:22; distance:1; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n(Cache\x2dControl|Pragma)\x3a\x20no-cache\r\n\r\n$/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27256; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"Firefox/3."; fast_pattern:only; http_header; pcre:"/^\/[A-Z]{6}$/U"; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b95f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojan-activity; sid:27257; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Win.Trojan.Kraziomel Download - 000.jpg"; flow:to_server,established; urilen:8; content:"/000.jpg"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:3;)
-# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red, ruleset community, service ssl; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:1;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redyms variant outbound connection"; flow:to_server,established; content:"&intip="; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"&port="; distance:0; http_uri; content:"&bid="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojan-activity; sid:27596; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fort Disco Registration variant outbound connection"; flow:to_server,established; content:"/cmd.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599; rev:2;)
@@ -2729,7 +2730,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/ido.ipl"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27726; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/myinfo.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27727; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/param.php?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27728; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Data Exfiltration"; flow:to_server,established; content:"POST"; http_method; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27774; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Data Exfiltration"; flow:to_server,established; content:"POST"; http_method; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; classtype:trojan-activity; sid:27774; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:".htm"; http_uri; content:!"Accept"; http_header; content:"|0A|Content-Length: 164|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:"host|3A|"; nocase; http_header; content:"|2E|"; within:5; http_header; content:"|2E|"; within:4; http_header; content:"|2E|"; within:4; http_header; content:"|6C 55 55 45|"; depth:4; offset:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27775; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/page/index_htm_files2/"; nocase; http_uri; content:".png"; within:4; distance:3; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27802; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/form.php"; depth:9; http_uri; content:"RcpTfdsvoD9KB9O"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27803; rev:3;)
@@ -2737,35 +2738,35 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bisonha variant outbound connection"; flow:to_server,established; content:"GET /3001"; fast_pattern; isdataat:260,relative; content:"0000000000000000000000000"; pcre:"/\/3001[0-9A-F]{262,304}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-on-G20Summit-Espionage-Operation; reference:url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf9171e5deca119338e4fac21568e0bb70ab7/analysis/; classtype:trojan-activity; sid:27805; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:7;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27866; rev:2;)
-# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:2;)
-# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:2;)
-# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:2;)
-# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:2;)
-# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:27907; rev:7;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - get ads"; flow:to_server,established; content:"/afr.php?zoneid="; http_uri; content:"/ads/ox.html"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - post install"; flow:to_server,established; content:"/report.php?key="; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware outbound connection - pre install"; flow:to_server,established; content:"/instapi.php?idMk="; http_uri; content:"&state="; distance:0; http_uri; content:"&idTime="; distance:0; http_uri; content:"&idA2="; distance:0; http_uri; content:"&xVal="; distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install"; flow:to_server,established; content:"/utilsbar/EazelBar.exe"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - offers"; flow:to_server,established; content:"/listener.php"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917; rev:2;)
+# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:4;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:4;)
+# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:3;)
+# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27907; rev:8;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - get ads"; flow:to_server,established; content:"/afr.php?zoneid="; http_uri; content:"/ads/ox.html"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - post install"; flow:to_server,established; content:"/report.php?key="; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware outbound connection - pre install"; flow:to_server,established; content:"/instapi.php?idMk="; http_uri; content:"&state="; distance:0; http_uri; content:"&idTime="; distance:0; http_uri; content:"&idA2="; distance:0; http_uri; content:"&xVal="; distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install"; flow:to_server,established; content:"/utilsbar/EazelBar.exe"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - offers"; flow:to_server,established; content:"/listener.php"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.0|0D 0A|Host:"; fast_pattern:only; content:"Accept-Encoding: identity, *|3B|q=0|0D 0A|"; http_header; content:"|3B| MSIE "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27918; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established; content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|"; fast_pattern:only; http_header; content:"|3B| MSIE "; http_header; pcre:"/[^ -~\r\n]{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established; content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|"; fast_pattern:only; http_header; content:"|3B| MSIE "; http_header; pcre:"/[^ -~\r\n]{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"Gh0st"; depth:5; content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:27964; rev:5;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Eupuds variant connection"; flow:to_client,established; file_data; content:"insert into avs (id, pc,data,ref,country , id_user, mostrar)values("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71321301751008dab75ded4d/analysis/; classtype:trojan-activity; sid:27965; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Response"; nocase; http_client_body; content:"FromBase64String"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27966; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"caidao="; fast_pattern:only; http_client_body; pcre:"/caidao\s?=\s?(Response|Write|Execute)/Pmi"; metadata:impact_flag red, ruleset community, service http; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27967; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Execute"; nocase; http_client_body; content:"On+Error+Resume+Next:"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27968; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Response"; nocase; http_client_body; content:"FromBase64String"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27966; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"caidao="; fast_pattern:only; http_client_body; pcre:"/caidao\s?=\s?(Response|Write|Execute)/Pmi"; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27967; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Execute"; nocase; http_client_body; content:"On+Error+Resume+Next:"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27968; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound command"; flow:to_server,established,only_stream; content:"/index.php?"; http_uri; content:"-dsafe_mode"; distance:0; http_uri; content:"-ddisable_functions"; distance:0; http_uri; content:"-dallow_url_fopen"; distance:0; http_uri; content:"-dallow_url_include"; distance:0; http_uri; content:"-dauto_prepend_file"; distance:0; http_uri; content:"echo.txt"; detection_filter:track by_src, count 20, seconds 60; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f1c54dd1aa20ac5f5e897feac8d86755a/analysis/; classtype:trojan-activity; sid:28005; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Kuluoz outbound download request"; flow:to_server,established; content:"?message="; fast_pattern:only; http_uri; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:28006; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Kuluoz outbound download request"; flow:to_server,established; content:"?message="; fast_pattern:only; http_uri; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:28006; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer startupkey outbound traffic"; flow:to_server,established; content:"/index.aspx?info=startupkey_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28007; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer reuse outbound traffic"; flow:to_server,established; content:"/index.aspx?info=reuse"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28008; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer configkey outbound traffic"; flow:to_server,established; content:"/index.aspx?info=configkey"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28009; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer tserror outbound traffic"; flow:to_server,established; content:"/index.aspx?info=tserror_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28010; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer createproc outbound traffic"; flow:to_server,established; content:"/index.aspx?info=createproc_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28011; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"from=%20Nome..:"; depth:15; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:28012; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:28026; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28028; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28026; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28028; rev:6;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy variant outbound connection"; flow:to_server,established; urilen:>95,norm; content:"User-Agent|3A| Opera/10.80 |28|Windows NT 5.1|3B| U|3B| Edition Yx|3B| en|29| Presto/2.9.168 Version/11.52|0D 0A|"; fast_pattern:only; pcre:"/\x2f[a-z-_]{90,}\x2e(html|php)$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28033; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw variant outbound connection"; flow:to_server,established; content:"/ping.html?r="; fast_pattern:only; http_uri; content:!"/utils/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; classtype:trojan-activity; sid:28042; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoLocker variant connection"; flow:to_server,established; content:"/crypt_1_sell"; fast_pattern:only; http_uri; pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis; classtype:trojan-activity; sid:28044; rev:3;)
@@ -2789,42 +2790,42 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - /html2/"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/html2/"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28153; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.1"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.1|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28154; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.2"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.2|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28155; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; isdataat:71; isdataat:!72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established; content:"/info.php?message="; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/report.php?id=5117077; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:28192; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin upgrade.php exploit attempt"; flow:to_server, established; content:"install/upgrade.php"; fast_pattern:only; http_uri; content:"firstrun=false"; http_client_body; content:"&customerid="; http_client_body; content:"username%5d="; http_client_body; content:"password%5d="; http_client_body; metadata:ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15743; classtype:attempted-admin; sid:28215; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28233; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin upgrade.php exploit attempt"; flow:to_server, established; content:"install/upgrade.php"; fast_pattern:only; http_uri; content:"firstrun=false"; http_client_body; content:"&customerid="; http_client_body; content:"username%5d="; http_client_body; content:"password%5d="; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15743; classtype:attempted-admin; sid:28215; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28233; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KanKan variant connection"; flow:to_server,established; content:"/?u="; depth:4; http_uri; content:"&u2="; http_uri; content:"&u5=inststart"; http_uri; content:"NSIS_Inetc (Mozilla)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a2912566130ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity; sid:28242; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established; content:"/get.php?invite="; fast_pattern:only; http_uri; content:"Accept-Encoding: gzip"; http_header; pcre:"/^\/get.php\?invite=.*?=$/mU"; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established; content:"/get.php?invite="; fast_pattern:only; http_uri; content:"Accept-Encoding: gzip"; http_header; pcre:"/^\/get.php\?invite=.*?=$/mU"; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2"; flow:to_server,established; content:"/?gws_rd=cr"; fast_pattern:only; http_uri; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c05af1d9ea768ef992cb489/analysis/1381870348/; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28285; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28291; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28291; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant connection"; flow:to_server,established; content:"/status/?&cmp="; fast_pattern; http_uri; content:"&src="; distance:0; http_uri; content:"&status=start"; distance:0; http_uri; content:!"User-Agent: "; http_uri; content:!"Accept"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee3524983ec6962b4061813c/analysis/1381409595/; classtype:trojan-activity; sid:28300; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"FromBase64String"; http_client_body; content:"z"; within:200; nocase; http_client_body; pcre:"/z\d{1,3}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:28323; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV runtime detection"; flow:to_server,established; content:"&affid="; fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri; content:"?ts="; nocase; http_uri; content:"&token="; nocase; http_uri; content:"&group="; nocase; http_uri; content:"&nid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&ver="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28324; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:28344; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28345; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|ff=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28346; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"FromBase64String"; http_client_body; content:"z"; within:200; nocase; http_client_body; pcre:"/z\d{1,3}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:28323; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV runtime detection"; flow:to_server,established; content:"&affid="; fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri; content:"?ts="; nocase; http_uri; content:"&token="; nocase; http_uri; content:"&group="; nocase; http_uri; content:"&nid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&ver="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28324; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:28344; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28345; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|ff=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28346; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:>90; content:"/p.ashx?prd="; fast_pattern; http_uri; content:"&pixGuid="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28405; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28420; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28421; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28420; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28421; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\/\d\.zip$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1039 (msg:"MALWARE-CNC Win.Trojan.Symmi variant SQL check-in"; flow:to_server,established; content:"s|00|e|00|l|00|e|00|c|00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|o|00|m|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|00|e|00|r|00|e|00| |00|i|00|d|00|_|00|p|00|c|00|=|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28446; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC DeputyDog diskless method outbound connection"; flow:to_server,established; content:"User-Agent: lynx|0D 0A|"; fast_pattern:only; http_header; content:"POST"; http_method; pcre:"/^\x2f[0-9a-f]+$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-090; classtype:trojan-activity; sid:28493; rev:6;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101 Firefox/23.0"; content:"Content-Disposition: form-data|3B| name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only; content:"Content-Disposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|22|"; content:"Content-Type: multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe714fc586b82a19444727a54/analysis/; classtype:trojan-activity; sid:28538; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established; urilen:5<>14; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding: identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:".exe HTTP/1.0|0D 0A|Host: "; pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/eeaeb1506d805271b5147ce911df9c264d63e4d229de4464ef879a83fb225a40/detection; classtype:trojan-activity; sid:28541; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)
-# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:ruleset community; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; isdataat:145; isdataat:!146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; isdataat:138; isdataat:!139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:2;)
+# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/main.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28553; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted Payload"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/online.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28554; rev:1;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL Slammer worm propagation attempt inbound"; flow:to_server; content:"|04|"; depth:1; content:"Qh.dll"; fast_pattern:only; content:"sock"; content:"send"; metadata:impact_flag red, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity; sid:28555; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL Slammer worm propagation attempt inbound"; flow:to_server; content:"|04|"; depth:1; content:"Qh.dll"; fast_pattern:only; content:"sock"; content:"send"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity; sid:28555; rev:2;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:3;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28596; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:7;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; urilen:1; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Language:"; depth:45; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern; content:"google.com|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28800; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos outbound connection"; flow:to_server,established; urilen:17<>27; content:"ip-who-is.com|0D 0A|"; fast_pattern:only; http_header; content:"/locate-ip/"; depth:11; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28802; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Injector inbound connection"; flow:to_client,established; file_data; content:"UPDATE|7C|"; depth:7; pcre:"/^UPDATE\|[0-9]\.[0-9]\.[0-9]\|[A-F0-9]{48}\|{3}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28803; rev:4;)
@@ -2839,15 +2840,15 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:28817; rev:4;)
 alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.Zollard"; flow:to_server,established; content:"User-Agent|3A| Zollard|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd62f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity; sid:28852; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent z00sAgent - Win.Trojan.Zbot"; flow:to_server,established; content:"User-Agent|3A| z00sAgent"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5873dad08351309e13af9e5/analysis/1383673331/; classtype:trojan-activity; sid:28859; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR Zollard variant outbound connection attempt"; flow:to_server,established; content:".zollard/"; fast_pattern:only; metadata:impact_flag red, ruleset community, service telnet; reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR Zollard variant outbound connection attempt"; flow:to_server,established; content:".zollard/"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service telnet; reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bit.ly|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28918; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bitly.com|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity; sid:28919; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection"; flow:to_server,established; urilen:>150; content:"/?"; depth:2; http_uri; content:"Firefox/4.0b8pre|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\/\?[a-z0-9]{2}\=[a-z1-9]{100}/siU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28930; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download"; flow:to_server,established; content:"/config.php?"; fast_pattern:only; http_uri; content:"version="; http_uri; content:"user="; http_uri; content:"server="; http_uri; content:"id="; http_uri; content:"crc="; http_uri; content:"id="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/17180; reference:url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/; classtype:trojan-activity; sid:28940; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id="; distance:0; http_uri; content:"&os="; within:4; distance:36; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:28960; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28969; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"|0D 0A|TP="; http_client_body; content:"|0D 0A|LGSN="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"|0D 0A|TP="; http_client_body; content:"|0D 0A|LGSN="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket"; flow:to_server,established; content:"|3B 20|Windows NT 5.0|0D 0A|Host:"; fast_pattern:only; http_header; content:" HTTP/1.1|0D 0A|Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent: Mozilla/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28977; rev:1;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot requesting URL through IRC"; flow:to_client,established; content:"JOIN |3A|#"; content:"!dl http://"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28982; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Steckt IRCbot executable download"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only; http_header; content:"/launch.php"; http_uri; content:"?f="; http_uri; content:"&s="; distance:0; http_uri; content:"&is_direct="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28983; rev:3;)
@@ -2856,7 +2857,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Neeris IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #biz abc|0D 0A|"; depth:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459c55ff448cf5e84dc2115f2f4aa800e6b/analysis/1387176826/; classtype:trojan-activity; sid:28986; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #n jobs|0D 0A|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28987; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #test1|20 7C 0D 0A|JOIN #test2|20 7C 0D 0A|JOIN #test3 (null)|0D 0A|"; depth:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28988; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant inbound connection"; flow:to_client,established; content:"/avcheck.exe|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|Location: https://dl.dropboxusercontent.com/"; http_header; pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant inbound connection"; flow:to_client,established; content:"/avcheck.exe|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|Location: https://dl.dropboxusercontent.com/"; http_header; pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:13,norm; content:"/webstat/?i="; depth:12; fast_pattern; http_uri; content:"User-Agent: Mozilla/7"; http_header; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29127; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29166; rev:5;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:4;)
@@ -2866,24 +2867,24 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/chamjavanv.inf?aapf/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29259; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/novredir_inf.php?apt/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29260; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/FileToDownload.exe"; fast_pattern:only; http_uri; content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1087/5386/0/html; reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/FileToDownload.exe"; fast_pattern:only; http_uri; content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,file-analyzer.net/analysis/1087/5386/0/html; reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:2;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant inbound connection"; flow:to_client,established; content:"|3B 20|filename=CostcoForm.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity; sid:29300; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern; http_client_body; content:"&tmp="; distance:0; http_client_body; content:"&stat="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojan-activity; sid:29349; rev:1;)
-# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic"; flow:to_client,established; dsize:10<>20; content:"|05 29 00 00 00 05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29378; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration"; flow:to_server,established; dsize:>1440; content:"|03 2B 82 86 02 A0 05|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29379; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic"; flow:to_server,established; dsize:5; content:"|05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29380; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe AIR file download request"; flow:to_server,established; content:".air"; fast_pattern:only; http_uri; pcre:"/\x2eair([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:29384; rev:11;)
-alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_client,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service imap, service pop3; classtype:misc-activity; sid:29385; rev:12;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_server,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:29386; rev:12;)
+# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic"; flow:to_client,established; isdataat:9; isdataat:!20; content:"|05 29 00 00 00 05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29378; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration"; flow:to_server,established; isdataat:1440; content:"|03 2B 82 86 02 A0 05|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29379; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic"; flow:to_server,established; isdataat:4; isdataat:!5; content:"|05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29380; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe AIR file download request"; flow:to_server,established; content:".air"; fast_pattern:only; http_uri; pcre:"/\x2eair([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:29384; rev:14;)
+alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_client,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:29385; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_server,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:29386; rev:15;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"NID="; depth:4; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:29395; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same"; flow:to_client,established; content:"Receipt"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; classtype:trojan-activity; sid:29396; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same"; flow:to_client,established; content:"Shipping"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; classtype:trojan-activity; sid:29397; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same"; flow:to_client,established; content:"voicemail"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; classtype:trojan-activity; sid:29398; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same"; flow:to_client,established; content:"statement"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:ruleset community, service http; classtype:trojan-activity; sid:29399; rev:1;)
-# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:1;)
-# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32; content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:1;)
-# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2"; content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds"; depth:72; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:2;)
-# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32; content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:1;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same"; flow:to_client,established; content:"Receipt"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29396; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same"; flow:to_client,established; content:"Shipping"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29397; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same"; flow:to_client,established; content:"voicemail"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29398; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same"; flow:to_client,established; content:"statement"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29399; rev:3;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:2;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32; content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:2;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2"; content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds"; depth:72; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:3;)
+# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32; content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Fexel variant outbound connection"; flow:to_server,established; content:"|0A|Agtid|3A 20|"; content:"08x|0D 0A|"; within:5; distance:8; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33dd45f638733e2f92f0cb5bfe86714734/analysis/; classtype:trojan-activity; sid:29459; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Backdoor.Shellbot outbound connection"; flow:to_server,established; content:"JOIN|20|#vnc|0A|"; depth:10; content:"PRIVMSG|20|#vnc|20 3A|"; within:14; content:"status checking program online"; within:30; distance:7; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d576b62444114306effb4023d/analysis/1390763713/; classtype:trojan-activity; sid:29569; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DomaIQ variant outbound connection"; flow:to_server,established; content:"/trace/Start HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"/debug/Version/"; depth:15; http_uri; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1546/6325/0/html#network; reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojan-activity; sid:29664; rev:2;)
@@ -2891,9 +2892,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection"; flow:to_server,established; urilen:20; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:29666; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B| Windows NT|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29760; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto outbound connection"; flow:to_server,established; content:"Group|3D|"; http_uri; content:"Install|3D|"; http_uri; content:"Ver|3D|"; http_uri; content:"Ask|3D|"; http_uri; content:"Bn|3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29788; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/ag/plugin.crx"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29789; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/l/af_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29790; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/m/f_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29791; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/ag/plugin.crx"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29789; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/l/af_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29790; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/m/f_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29791; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server, established; content:"/post"; http_uri; content:"User-Agent: something"; fast_pattern:only; http_header; content:"mac="; http_client_body; content:"&t1="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29816; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server, established; urilen:10; content:"/post/echo"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29817; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - TixDll - Win.Trojan.Adload.dyhq"; flow:to_server,established; content:"User-Agent: TixDll|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29824; rev:2;)
@@ -2903,22 +2904,22 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"ttcp_ip"; http_client_body; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbout connection"; flow:to_client,established; content:"filename=|22|full__setup.zip|22 0D 0A|"; fast_pattern:only; http_header; file_data; content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29862; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; urilen:33; content:"/read/swf/searchProductResult.jsp"; fast_pattern:only; http_uri; content:"cache=cc2="; depth:10; http_cookie; content:"|3B| core="; distance:0; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29863; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D 0A|Host: "; fast_pattern:only; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:29865; rev:5;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Napolar phishing attack"; flow:to_client,established; content:"facebook.com.exe"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29869; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Napolar phishing attack"; flow:to_client,established; content:"facebook.com.exe"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29869; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pony HTTP response connection"; flow:to_client,established; content:"Content-Length: 16"; http_header; file_data; content:"STATUS-IMPORT-OK"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1830/6840/0/html; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29870; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; isdataat:68; isdataat:!69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29884; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Updates downloader|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C575EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity; sid:29887; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pushdo variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3A 20|"; http_header; content:"Accept|3A| */*|0D 0A|Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octet-stream|0D 0A|Content-Length|3A| "; depth:93; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header; content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29891; rev:7;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/prl/el.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e00541759eb18a31f959da521a9/analysis/; reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity; sid:29897; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tiny variant outbound connection"; flow:to_server,established; content:"/ie-error.gif?action=utility"; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&error="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41c88083f4a3d3c04805a721/analysis/; classtype:trojan-activity; sid:29981; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,attack.mitre.org/techniques/T1189; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:6;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/and/image.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; pcre:"/^[a-z\d\x2f\+\x3d]{10,98}$/Pi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30068; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"/android/sms/sync.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&iscallhack="; distance:0; http_client_body; content:"&issmshack="; distance:0; http_client_body; content:"&isrecordhack="; distance:0; http_client_body; content:"&isadmin="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/android/sms/ping.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:22; content:"/android/sms/index.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&number=&iccid=&model="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"/android/sms/sync.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&iscallhack="; distance:0; http_client_body; content:"&issmshack="; distance:0; http_client_body; content:"&isrecordhack="; distance:0; http_client_body; content:"&isadmin="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/android/sms/ping.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:22; content:"/android/sms/index.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&number=&iccid=&model="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamut configuration download"; flow:to_server,established; content:"|26|file=SenderClient.conf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30087; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:13; content:"/forum/db.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/2306/8066/0/html#network; reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojan-activity; sid:30091; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uroburos usermode-centric client request"; flow:to_server,established; content:"/1/6b-558694705129b01c0"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive|0D 0A|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30191; rev:1;)
@@ -2931,59 +2932,59 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/eh.html HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968ca41f06b900d703a27064e/analysis/1393266939/; reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a75016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity; sid:30257; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:"&iv="; within:4; distance:36; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e14248045e467c6568926cb494/analysis/1386078525/; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:30258; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; content:"/20"; depth:3; http_uri; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".inf"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojan-activity; sid:30259; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:8;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lista"; http_uri; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:".log|22 0D 0A|"; nocase; http_client_body; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojan-activity; sid:30262; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection"; flow:to_server,established; content:"/stat?"; content:"uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; content:"&statpass=bpass"; distance:0; fast_pattern; content:"&version="; distance:0; content:"&features="; distance:0; content:"&guid="; distance:0; content:"&comment="; distance:0; content:"&p="; distance:0; content:"&s="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30288; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30319; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Calfbot outbound connection"; flow:to_server,established; content:"/b/index.php?id="; fast_pattern:only; http_uri; content:"&sent="; http_uri; content:"&notsent="; distance:0; http_uri; content:"&stat="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30336; rev:2;)
 alert tcp $EXTERNAL_NET 1600:1604 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik inbound connection"; flow:to_client,established; content:"E|00|N|00|D|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30482; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; content:"GET /123456789.functionss"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30483; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; dsize:<20; content:"myversion|7C|"; fast_pattern:only; pcre:"/myversion\x7c(\d\x2e){3}\d\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30484; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:7;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:7;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:9;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:9;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:9;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:8;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; dsize:8; content:"|18 03 02 00 03 01 40 00|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; dsize:69; content:"|18 03 03 00 40|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; isdataat:!19; content:"myversion|7C|"; fast_pattern:only; pcre:"/myversion\x7c(\d\x2e){3}\d\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30484; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:8;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:11;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:11;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:11;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; isdataat:68; isdataat:!69; content:"|18 03 03 00 40|"; depth:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:4;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramdo variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:".org|0D 0A|Content-Length|3A| 128|0D 0A|Cache-Control|3A| no-cache|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/Hm"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx; classtype:trojan-activity; sid:30547; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"POST"; http_method; content:"/write"; http_uri; content:"Host: default|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html; reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity; sid:30548; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Heartbleed masscan access exploitation attempt"; flow:to_server,established; content:"[masscan/1.0]"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30549; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Heartbleed masscan access exploitation attempt"; flow:to_server,established; content:"[masscan/1.0]"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30549; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Minerd"; flow:to_server,established; urilen:>10; content:"/minerd.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30551; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Systema"; flow:to_server,established; urilen:20; content:"/aviatic/systema.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79638a57332ac448d819fb5d/analysis/; classtype:trojan-activity; sid:30552; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 10991 (msg:"MALWARE-CNC Linux.Trojan.Elknot outbound connection"; flow:to_server,established; dsize:401; content:"Linux|20|"; depth:6; offset:17; pcre:"/Linux\x20\d\.[0-9]{1,2}\.[0-9]{1,2}/"; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da008397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity; sid:30566; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; content:"/cache/pdf_efax_"; fast_pattern:only; http_uri; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; content:"filename=FuneralCeremony_"; fast_pattern:only; http_header; content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_"; content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 10991 (msg:"MALWARE-CNC Linux.Trojan.Elknot outbound connection"; flow:to_server,established; isdataat:400; isdataat:!401; content:"Linux|20|"; depth:6; offset:17; pcre:"/Linux\x20\d\.[0-9]{1,2}\.[0-9]{1,2}/"; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da008397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity; sid:30566; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; content:"/cache/pdf_efax_"; fast_pattern:only; http_uri; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; content:"filename=FuneralCeremony_"; fast_pattern:only; http_header; content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_"; content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"PREF="; depth:5; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018fffd30bdb1f9fb6280182bd0/analysis/1396537812/; reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f205711cdbad3e4b1bde7be2d75/analysis/ reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:30570; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30781; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30782; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30783; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30784; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:3;)
-alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:3;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30781; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30782; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30783; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30784; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:4;)
+alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:4;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00 00|"; within:2; distance:24; content:".exe"; within:64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30906; rev:3;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00 00|"; within:2; distance:24; content:".exe"; within:64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30909; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.2|3B| Trident/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30914; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|n|00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30915; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response"; flow:to_client,established; content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http, service ssl; reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response"; flow:to_client,established; content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http, service ssl; reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:6;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)
@@ -2993,7 +2994,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exp
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/hunter/123/order.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:31020; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.0|0D 0A|Connection: keep-alive|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|Host: "; content:"|0D 0A|Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.9,*/*|3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b381b74fcfd2e4db73689af/analysis/; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31036; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadnessPro outbound connection"; flow:to_server,established; content:"/?"; http_uri; content:"uid="; http_uri; content:"&mk="; fast_pattern; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:trojan-activity; sid:31053; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/docs/index.php"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/octet-stream"; http_header; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity; sid:31070; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/docs/index.php"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/octet-stream"; http_header; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity; sid:31070; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:11; content:"/srt/ge.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3d830c469f2f564890ebbc38b169eb41b/analysis/1400275398/; classtype:trojan-activity; sid:31084; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent hello crazyk"; flow:to_server,established; content:"User-Agent: hello crazyk|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271c17c20218ba895c1f4a/analysis/; classtype:trojan-activity; sid:31090; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos password stealing attempt"; flow:to_server,established; content:"rotina=plogin&login="; fast_pattern:only; http_client_body; content:"&senha="; http_client_body; content:"&casa="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31112; rev:1;)
@@ -3009,14 +3010,14 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_server,established; content:"/publickey/ HTTP/1.1|0D 0A|User-Agent: Wget/1.9|0D 0A|Host: "; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:31293; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"/workers.php?mac="; fast_pattern:only; http_uri; content:"&gpu="; http_uri; content:!"|0D 0A|User-Agent:"; http_header; content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31295; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL variant outbound connection"; flow:to_server,established; content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/; classtype:trojan-activity; sid:31315; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"Transfer-Encoding: Chunked"; fast_pattern; nocase; content:"|0D 0A|"; distance:0 ; byte_test:8,>,2147483647,0,string,hex,relative; content:"|20|"; within:9; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:31405; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"Transfer-Encoding: Chunked"; fast_pattern; nocase; content:"|0D 0A|"; distance:0 ; byte_test:8,>,2147483647,0,string,hex,relative; content:"|20|"; within:9; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:31405; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:4; content:"/re/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e279651c8f19fa6392f3d837/analysis/; reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f528a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity; sid:31442; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall downloader attempt"; flow:to_server,established; urilen:<20; content:"User-Agent|3A 20|macrotest|0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f(css|upload)\x2f[a-z]{2}[0-9]{3}\x2eccs/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b99be0164dafffeca9914b10/analysis/; classtype:trojan-activity; sid:31449; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:<17; content:"HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Connection: Close|0D 0A|Content-Length: 100|0D 0A|User-Agent: "; fast_pattern:only; content:"="; depth:1; offset:1; http_client_body; pcre:"/[a-z]=[a-f0-9]{98}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31450; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?chave=xchave&url|3D 20 3D 7C 3D 20|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity; sid:31452; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent: Mozilla/5.0|0D 0A|"; content:"Service Pack "; fast_pattern:only; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31453; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*, application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31454; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SDBot variant outbound connection"; flow:to_server,established; urilen:8; content:"/install"; http_uri; content:"argc="; depth:5; http_client_body; content:"&name="; distance:0; http_client_body; content:"&previous="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31458; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"/query?version="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:"&builddate="; distance:0; http_uri; content:"&q="; distance:0; http_uri; content:"&ref="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31465; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"|0D 0A|builddate:"; fast_pattern:only; http_header; content:"|0D 0A|aid: "; http_header; content:"|0D 0A|redirect: http://"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31466; rev:1;)
@@ -3026,11 +3027,11 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.HW32 va
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/index.php?email=libpurple_XMPP"; fast_pattern:only; http_uri; content:"&method=post"; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojan-activity; sid:31530; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE MinerDeploy monitor request attempt"; flow:to_server,established; content:"/monitor.php?"; fast_pattern; http_uri; content:"myid="; distance:0; http_uri; content:"&ip="; distance:0; http_uri; content:"&cgminer="; distance:0; http_uri; content:"&operatingsystem="; distance:0; http_uri; content:!"Content-Length|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3bacd436c652dbb469ced62/analysis/; classtype:trojan-activity; sid:31531; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SMSSend outbound connection"; flow:to_server,established; content:"sms"; http_uri; content:".ashx?t="; fast_pattern:only; http_uri; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3f45b6022f4d4ca47c9ae5cb9049700bb/analysis/1406724303/; classtype:trojan-activity; sid:31593; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client"; flow:to_client,established; dsize:6; content:"HELLO|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31603; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client"; flow:to_client,established; dsize:6; content:"READD|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31604; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client"; flow:to_client,established; dsize:6; content:"READY|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31605; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"HELLO|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31603; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"READD|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31604; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"READY|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31605; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Glupteba payload download request"; flow:to_server,established; content:"/software.php?"; fast_pattern:only; http_uri; content:"Accept|3A| */*"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.1|3B|"; http_header; pcre:"/\/software\x2ephp\x3f[0-9]{15,}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31606; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server"; flow:to_server,established; dsize:15<>18; content:"|3A|bpass|0A|"; fast_pattern:only; pcre:"/[0-9A-Z]{8}\x3abpass\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31607; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server"; flow:to_server,established; isdataat:14; isdataat:!18; content:"|3A|bpass|0A|"; fast_pattern:only; pcre:"/[0-9A-Z]{8}\x3abpass\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31607; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; fast_pattern:only; http_header; content:"|0D 0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; pcre:"/[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31641; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; urilen:4; content:"/de/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; http_header; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31642; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established; content:"/api.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|UNAVAILABLE"; http_header; content:"method="; http_client_body; content:"&app_key="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c76fba6b104e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity; sid:31644; rev:2;)
@@ -3039,24 +3040,24 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:12; content:"/support.exe"; fast_pattern:only; http_uri; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip,deflate,sdch|0D 0A|Host: "; content:") Chrome/"; distance:0; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity; sid:31681; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9; content:"/tmps.exe"; fast_pattern:only; http_uri; content:"Proxy-Authorization: Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9; http_cookie; content:") Chrome/"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31682; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur variant outbound connection"; flow:to_server,established; content:"/get/?data="; depth:11; http_uri; content:"User-Agent: win32|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31683; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:ruleset community, service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:31719; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:31719; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Banker.Delf variant outbound connection"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri; content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D 0A|"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity; sid:31820; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"dados="; depth:6; http_client_body; content:"&ct="; distance:0; http_client_body; content:"/"; within:1; distance:2; http_client_body; content:"/201"; within:4; distance:2; http_client_body; content:"="; within:1; distance:1; http_client_body; content:"&windows="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity; sid:31824; rev:2;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delf variant HTTP Response"; flow:to_client,established; content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|token|22| content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4; distance:168; pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31826; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: "; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer:"; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31827; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:ruleset community, service ftp; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_server,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:31871; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:8;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_server,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:31871; rev:11;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/trdpr/trde.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31916; rev:2;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt"; flow:to_client,established; file_data; content:"%set_intercepts%"; fast_pattern:only; content:"%ban_contact%"; content:"%ebaylive%"; content:"%dep_host%"; content:"%relay_soxid%"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31923; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?method="; http_uri; content:"&mode=sox&v="; fast_pattern:only; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31924; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/notify.php"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31964; rev:1;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:3;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:2;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:3;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:9;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chebri variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.php HTTP/1.0|0D 0A|Host: google.com|0D 0A|User-Agent: "; fast_pattern:only; content:"0="; depth:2; http_client_body; content:"Accept-Encoding: none|0D 0A 0D 0A|"; http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojan-activity; sid:31973; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31975; rev:5;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31976; rev:5;)
@@ -3065,10 +3066,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI env
 alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP server bash environment variable injection attempt"; flow:stateless; content:"() {"; fast_pattern:only; content:"|02 01 06 00|"; depth:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:6;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Install|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity; sid:31990; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Treck|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity; sid:31991; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command"; flow:to_client,established; dsize:<15; content:"|21 2A 20|SCANNER ON"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32009; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command"; flow:to_client,established; isdataat:!14; content:"|21 2A 20|SCANNER ON"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32009; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound telnet connection attempt"; flow:to_server,established; content:"/bin/busybox|3B|echo -e |27 5C|147|5C|141|5C|171|5C|146|5C|147|5C|164|27 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service telnet; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32010; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound connection"; flow:to_server,established; dsize:10; content:"BUILD X86|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32011; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound connection"; flow:to_server,established; isdataat:9; isdataat:!10; content:"BUILD X86|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32011; rev:4;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"MAIL"; nocase; content:"FROM|3A|"; distance:0; nocase; pcre:"/^\s*?MAIL\s+?FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32038; rev:3;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"RCPT"; nocase; content:"TO|3A|"; distance:0; nocase; pcre:"/^\s*?RCPT\s+?TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32039; rev:3;)
 # alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)
@@ -3083,107 +3084,107 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot payload download attempt"; flow:to_server,established; content:"/mod_articles-auth-"; depth:19; fast_pattern; http_uri; content:"/jquery/"; within:8; distance:7; http_uri; content:"Accept: */*|0D 0A|Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32074; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/beta/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:32130; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET [53,80,443,5432] (msg:"MALWARE-CNC WIN.Trojan.Plugx variant outbound connection"; flow:to_server,established; content:"HHV1:"; content:"HHV2:"; within:20; content:"HHV3: 61456"; within:20; fast_pattern; content:"HHV4:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns, service http, service ssl; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32179; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt"; flow:to_client,established; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32180; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt"; flow:to_server,established; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32181; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt"; flow:to_client,established; isdataat:15; isdataat:!16; content:"|85 19 00 00 25 04 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32180; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt"; flow:to_server,established; isdataat:15; isdataat:!16; content:"|86 19 00 00 04 01 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32181; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zxshell variant outbound connection"; flow:to_server,established; content:"|20|OS|3A 20|"; content:"|20|CPU|3A|"; distance:0; content:"Hz,RAM|3A|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded37756f749a9338ed7c04306c1de46889d6b/analysis/; classtype:trojan-activity; sid:32192; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|PLUG|22 0D 0A|"; fast_pattern:only; http_client_body; content:"form-data|3B| name=|22|PC|22 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|SEG|22 0D 0A|"; distance:0; http_client_body; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe924334ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity; sid:32196; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; urilen:27; content:"/blog-trabajos/n65dj17i1836"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,5293; reference:cve,2002-2314; reference:url,osvdb.org/show/osvdb/60255; classtype:attempted-user; sid:32244; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:32244; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected"; flow:to_server,established; content:"/info.xml"; http_uri; content:"Host:"; http_header; content:"update-adobe.com"; within:30; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32250; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|cert|2E|pl"; fast_pattern:only; content:"|3A|End of MOTD command|2E|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:32260; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|cert|2E|pl"; fast_pattern:only; content:"|3A|End of MOTD command|2E|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:32260; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:" () {"; depth:50; urilen:>0,norm; content:!"HTTP/"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32335; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"() {"; http_cookie; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32336; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; content:"}"; within:25; pcre:"/^[\w\x2d\x5f]+?\x3a\s*?\x28\x29\s\x7b/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32366; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection"; flow:to_server,established; urilen:<10; content:"/update"; http_uri; content:"POST"; http_method; content:"|0D 0A|Accept-Encoding:|0D 0A|Connection: close|0D 0A|Content-Length: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc/analysis; classtype:trojan-activity; sid:32367; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_server,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community, service smtp; reference:bugtraq,10889; reference:cve,2004-0636; reference:url,osvdb.org/show/osvdb/8398; classtype:misc-attack; sid:32370; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_server,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:32370; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:32374; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY bmp file attachment detected"; flow:to_server,established; content:".bmp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebmp/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32378; rev:9;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY dib file attachment detected"; flow:to_server,established; content:".dib"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edib/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32380; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY bmp file attachment detected"; flow:to_server,established; content:".bmp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebmp/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32378; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY dib file attachment detected"; flow:to_server,established; content:".dib"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edib/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32380; rev:12;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32386; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; urilen:16; content:"/cbrry/cbre.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojan-activity; sid:32583; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"plug=NAO"; fast_pattern:only; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"Content-Length: 8"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/; reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity; sid:32584; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Geodo variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity; sid:32604; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Jenxcus variant outbound connection"; flow:to_server,established; content:"/seo.php?username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity; sid:32605; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sodebral variant outbound connection"; flow:to_server,established; content:"/verifica/index.php?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32606; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string RUpdate"; flow:to_server,established; content:"User-Agent: RUpdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32645; rev:2;)
 # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"_pdf.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32646; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; content:"/search?btnG="; http_uri; content:"utm="; distance:0; http_uri; content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body; content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20; http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32665; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; content:"/webhp?rel="; http_uri; content:"hl="; distance:0; http_uri; content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body; content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20; http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32667; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Ch variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Content-length:"; http_header; content:"Content-type:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5cebead7d0321bc371fa475d689ffe658/analysis/; classtype:trojan-activity; sid:32670; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8080] (msg:"MALWARE-CNC Win.Trojan.Wiper variant outbound connection"; flow:to_server,established; dsize:42; content:"(|00|"; depth:2; content:"|04 00 00 00|"; within:4; distance:36; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a/analysis/; classtype:trojan-activity; sid:32674; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8080] (msg:"MALWARE-CNC Win.Trojan.Wiper variant outbound connection"; flow:to_server,established; isdataat:41; isdataat:!42; content:"(|00|"; depth:2; content:"|04 00 00 00|"; within:4; distance:36; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a/analysis/; classtype:trojan-activity; sid:32674; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FIN4 VBA Macro credentials upload attempt"; flow:to_server, established; content:"POST"; http_method; content:"/report.php?msg="; fast_pattern:only; http_uri; content:"&uname="; http_uri; content:"&pword="; http_uri; content:"Content-Length|3A 20|0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad7331108cb65e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity; sid:32776; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; content:"/images/view.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32823; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection"; flow:to_server,established; content:"/txt/read.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32824; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; content:"/bin/read_i.php?"; http_uri; content:"a1="; http_uri; content:"&a2=step2-down"; fast_pattern:only; http_uri; content:"&a3="; http_uri; content:"&a4="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32825; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/html/docu.php"; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32826; rev:1;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Darkhotel response connection attempt"; flow:to_client,established; file_data; content:"DEXT87"; pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32827; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223"; flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32845; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - absolute.com"; flow:to_server,established; content:".absolute.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32846; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com"; flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32847; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A| namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32848; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com"; flow:to_server,established; content:"Host|3A| search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32849; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com"; flow:to_server,established; content:"Host|3A| search2.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32850; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com"; flow:to_server,established; content:"Host|3A| search64.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32851; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223"; flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32845; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - absolute.com"; flow:to_server,established; content:".absolute.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32846; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com"; flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32847; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A| namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32848; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com"; flow:to_server,established; content:"Host|3A| search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32849; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com"; flow:to_server,established; content:"Host|3A| search2.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32850; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com"; flow:to_server,established; content:"Host|3A| search64.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32851; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/form.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32852; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/feed.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32853; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:"/wp-admin/"; fast_pattern:only; http_header; content:"Host: www.fedex.com|0D 0A|"; http_header; pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e56/; classtype:trojan-activity; sid:32888; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service smtp; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:32889; rev:1;)
-# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32911; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32912; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|4C 4C|"; depth:2; offset:16; content:"|75 14 2A 2A|"; within:4; distance:4; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32914; rev:1;)
-# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32915; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32916; rev:1;)
-# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17; content:"|08 2A 2A 01 00|"; distance:0; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32918; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32919; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 64 BA F2 56|"; depth:50; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|"; depth:74; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32923; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32924; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32925; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|"; depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32926; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32929; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32930; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32931; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32932; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32934; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32935; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32936; rev:1;)
-# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4; distance:4; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:1;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32938; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:32889; rev:2;)
+# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32911; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32912; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|4C 4C|"; depth:2; offset:16; content:"|75 14 2A 2A|"; within:4; distance:4; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32914; rev:2;)
+# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32915; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32916; rev:2;)
+# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17; content:"|08 2A 2A 01 00|"; distance:0; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32918; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32919; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 64 BA F2 56|"; depth:50; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|"; depth:74; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32923; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32924; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32925; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|"; depth:22; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32926; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32929; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47 47|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32930; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32931; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32932; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32934; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32935; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32936; rev:2;)
+# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4; distance:4; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32938; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android.CoolReaper.Trojan outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/dmp/api/"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|UAC/1.0.0 (Android "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d7845ab50b395d6b3adb614b94f8a8609f0e/analysis/; classtype:trojan-activity; sid:32956; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt"; flow:to_server,established; content:"POST"; http_method; urilen:17; content:"/checkupdate.asmx"; fast_pattern:only; http_uri; content:"SOAPAction|3A 20|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|MS Web Services Client Protocol"; pcre:"/SOAPAction\x3a[^\r\n]*Get(ServerTime|FileList|File)\x22/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32957; rev:1;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TinyZBot response connection attempt"; flow:to_client, established; file_data; content:"<?xml"; content:"<soap:Body><GetFileListResponse xmlns=|22|http|3A 2F 2F|"; within:70; distance:200; content:"<GetFileListResult><string>[ALL]__"; within:75; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32958; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/w1/feed.php"; fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32976; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/w1/form.php"; fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32977; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: realupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33047; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Medusa variant inbound connection"; flow:to_client,established; dsize:<510; content:"|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|<|00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33058; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Medusa variant inbound connection"; flow:to_client,established; isdataat:!509; content:"|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|<|00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33058; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bbc_mirror/"; http_uri; content:"search?id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33059; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"CNN_Mirror/EN"; http_uri; content:"search?id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33060; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Heur variant outbound connection"; flow:to_server, established; content:"GET"; http_method; urilen:17; content:"/01/WindowsUpdate"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e5f739f2bc9faf3e813736b37c6d3b6bc/analysis/; classtype:trojan-activity; sid:33153; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33207; rev:3;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; urilen:9; content:"POST"; http_method; content:"/2ldr.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a58822a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojan-activity; sid:33219; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"HawkEye Keylogger"; fast_pattern:only; content:"Subject: =?utf-8?B"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33220; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?"; fast_pattern; content:"=?=|0D 0A|"; within:150; flowbits:set,hawk.lgr; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33221; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"=0D=0AClipboard"; fast_pattern:only; content:"=0D=0AKeyboard"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33222; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"name=screenshot"; fast_pattern:only; pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33223; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"HawkEye Keylogger"; fast_pattern:only; content:"Subject: =?utf-8?B"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33220; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?"; fast_pattern; content:"=?=|0D 0A|"; within:150; flowbits:set,hawk.lgr; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33221; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"=0D=0AClipboard"; fast_pattern:only; content:"=0D=0AKeyboard"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33222; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"name=screenshot"; fast_pattern:only; pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33223; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; isdataat:135; isdataat:!136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/form2.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity; sid:33228; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; content:"/js/jquery-"; fast_pattern; http_uri; content:".js?"; within:15; distance:1; http_uri; pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/UGi"; content:"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojan-activity; sid:33282; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/r1xpr/r1xe.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity; sid:33443; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"/m343ff4ufbnmm4uu4nf34m443frr/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity; sid:33444; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; isdataat:213; isdataat:!214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"="; depth:2; http_client_body; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; pcre:"/[a-z]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33450; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; distance:0; http_uri; content:"&osbuild="; distance:0; http_uri; content:"&osprod="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; distance:0; http_uri; content:"&osbuild="; distance:0; http_uri; content:"&osprod="; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/12/index.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojan-activity; sid:33453; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: http://www.pershop.com.br/"; fast_pattern:only; http_header; content:".php"; http_uri; content:!"Referer:"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity; sid:33457; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ALIZER"; flow:to_server,established; content:"User-Agent|3A 20|ALIZER|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33519; rev:2;)
@@ -3192,7 +3193,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - DNS Changer"; flow:to_server,established; content:"User-Agent|3A 20|DNS Check|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33522; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"/postinstall.php?"; http_uri; content:"src="; within:5; http_uri; content:"&medium="; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33523; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; content:"/updateb.xml?"; fast_pattern:only; http_uri; content:"rnd="; http_uri; content:"&spfail="; within:20; http_uri; content:"&guid="; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33524; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Turla outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?uid="; http_uri; content:"&context="; distance:0; http_uri; content:"&mode=text"; distance:0; fast_pattern; http_uri; content:"&data="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity; sid:33547; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Turla outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?uid="; http_uri; content:"&context="; distance:0; http_uri; content:"&mode=text"; distance:0; fast_pattern; http_uri; content:"&data="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity; sid:33547; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/check.action?iid="; http_uri; content:"&kernel="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33646; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"POST"; http_method; content:"/submit.action?username="; http_uri; content:"&password="; within:30; http_uri; content:".tgz"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33647; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"/compiler.action?iid="; http_uri; content:"&username="; within:10; distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri; content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33648; rev:3;)
@@ -3201,36 +3202,36 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Babar outbound connection"; flow:to_server,established; content:"/bb/index.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSI 6.0|3B|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf/analysis/; classtype:trojan-activity; sid:33677; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FannyWorm outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|)|0D 0A|"; fast_pattern:only; http_header; content:"/ads/QueryRecord"; http_uri; content:".html"; within:25; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity; sid:33678; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft emf file download request"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:33740; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/install.ashx?id="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/ping.ashx?action="; fast_pattern:only; http_uri; content:"&usid="; http_uri; content:"&aff="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/install.ashx?id="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/ping.ashx?action="; fast_pattern:only; http_uri; content:"&usid="; http_uri; content:"&aff="; distance:0; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/service/related?sector="; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33822; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; flowbits:isnotset,smb.null_session; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 40 00 00 00|"; within:8; distance:24; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:33825; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla"; http_header; content:" Loader|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33833; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" Pi/3.1415926|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33834; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" in my heart of heart.|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:33835; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 40 00 00 00|"; within:8; distance:24; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:33825; rev:7;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla"; http_header; content:" Loader|0D 0A|"; within:150; fast_pattern; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33833; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" Pi/3.1415926|0D 0A|"; within:150; fast_pattern; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33834; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" in my heart of heart.|0D 0A|"; within:150; fast_pattern; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33835; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; fast_pattern:only; http_header; content:"uid="; depth:4; http_client_body; content:"&uinfo="; within:26; http_client_body; content:"&win="; distance:0; http_client_body; content:"&bits="; within:6; distance:3; http_client_body; content:"&build="; within:20; distance:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33851; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_header; content:"oprat="; depth:6; http_client_body; content:"&uinfo="; within:10; distance:23; http_client_body; content:"&win="; distance:0; http_client_body; content:"&vers="; within:6; distance:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33852; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"KrisR"; depth:5; content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:33885; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBPasswordStealer variant outbound connection"; flow:to_server,established; content:"/index.php?"; http_uri; content:"action=add"; fast_pattern; http_uri; content:"&username="; distance:0; http_uri; content:"&password="; distance:0; http_uri; content:"&app="; distance:0; http_uri; content:"&pcname="; distance:0; http_uri; content:"&sitename="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c38f6e640be783a511049d8e5006cac011/analysis/; classtype:trojan-activity; sid:34047; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix precheck stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=prechecking"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix fetch offers stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=getcombo"; distance:0; http_uri; content:"&offers="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting binary installation stage status"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; offset:1; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|machine_ID|22|"; distance:0; http_client_body; content:"|22|result|22|"; distance:0; http_client_body; content:"|22|failure_reason|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting fetch offers stage status"; flow:to_server,established; content:"/report.php?"; http_uri; content:"download_id="; distance:0; http_uri; content:"&mode="; distance:0; http_uri; content:"&combo_id="; distance:0; http_uri; content:"&os_name="; distance:0; http_uri; content:"&os_add="; distance:0; http_uri; content:"&os_build="; distance:0; http_uri; content:"&proj_id="; distance:0; http_uri; content:"&offer_id="; distance:0; http_uri; content:!"Connection"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent Vitruvian"; flow:to_server,established; content:"User-Agent|3A 20|Vitruvian"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"hid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&tr="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&adm="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"sid="; http_uri; content:"&st="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix precheck stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=prechecking"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix fetch offers stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=getcombo"; distance:0; http_uri; content:"&offers="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting binary installation stage status"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; offset:1; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|machine_ID|22|"; distance:0; http_client_body; content:"|22|result|22|"; distance:0; http_client_body; content:"|22|failure_reason|22|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting fetch offers stage status"; flow:to_server,established; content:"/report.php?"; http_uri; content:"download_id="; distance:0; http_uri; content:"&mode="; distance:0; http_uri; content:"&combo_id="; distance:0; http_uri; content:"&os_name="; distance:0; http_uri; content:"&os_add="; distance:0; http_uri; content:"&os_build="; distance:0; http_uri; content:"&proj_id="; distance:0; http_uri; content:"&offer_id="; distance:0; http_uri; content:!"Connection"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent Vitruvian"; flow:to_server,established; content:"User-Agent|3A 20|Vitruvian"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"hid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&tr="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&adm="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"sid="; http_uri; content:"&st="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127; rev:2;)
 alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant MSSQL response"; flow:to_client,established; content:"|0B|m|00|a|00|c|00|a|00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|00|a|00|s|00|t|00|e|00|r|00|"; fast_pattern:only; content:"|08|D|00|B|00|S|00|Q|00|0|00|0|00|1|00|7|00|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity; sid:34136; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SearchProtect user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|SearchProtect|3B|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SearchProtect user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|SearchProtect|3B|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:3;)
 # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_client,established; content:"|00 DE C5 45 99 14 1E F5 7E 56 78 DF 23 CE 8A 12|"; fast_pattern:only; content:"LvtfOWStYYHNbdiE15aNsOyg"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:34140; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer installation status"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; depth:15; offset:1; http_client_body; content:"|22|installation_session_id|22|"; within:100; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|command_line|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer encrypted data transmission"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|encryptedKey|22|"; depth:20; offset:1; http_client_body; content:"|22|encryptedData|22|"; distance:0; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer geolocation request"; flow:to_server,established; content:"/ip/?client=sp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo outbound connection"; flow:to_server,established; urilen:30<>65; content:"/atJs/v"; fast_pattern; http_uri; content:"/Client/"; within:8; distance:1; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo get advertisement"; flow:to_server,established; content:"/cgi-bin/advert/getads.cgi?"; http_uri; content:"did="; distance:0; http_uri; content:"User-Agent|3A 20|mpck_"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer installation status"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; depth:15; offset:1; http_client_body; content:"|22|installation_session_id|22|"; within:100; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|command_line|22|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer encrypted data transmission"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|encryptedKey|22|"; depth:20; offset:1; http_client_body; content:"|22|encryptedData|22|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer geolocation request"; flow:to_server,established; content:"/ip/?client=sp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo outbound connection"; flow:to_server,established; urilen:30<>65; content:"/atJs/v"; fast_pattern; http_uri; content:"/Client/"; within:8; distance:1; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo get advertisement"; flow:to_server,established; content:"/cgi-bin/advert/getads.cgi?"; http_uri; content:"did="; distance:0; http_uri; content:"User-Agent|3A 20|mpck_"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/check?iid="; http_uri; content:"&kernel="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34261; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"/compiler?iid="; http_uri; content:"&username="; within:10; distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri; content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34262; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/upload/module"; http_uri; content:"build.tgz"; within:9; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34263; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin XSS redirect attempt"; flow:to_server,established; content:"/misc.php?v="; http_uri; content:"&js=js"; within:12; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/url/6a7664105f1f144930f51e71dd0fec728607b4c9e33037d376cd7bf8351273a9/analysis/1430224991/; classtype:web-application-attack; sid:34287; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin XSS redirect attempt"; flow:to_server,established; content:"/misc.php?v="; http_uri; content:"&js=js"; within:12; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/url/6a7664105f1f144930f51e71dd0fec728607b4c9e33037d376cd7bf8351273a9/analysis/1430224991/; classtype:web-application-attack; sid:34287; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kraken outbound connection"; flow:to_server,established; content:"/idcontact.php?"; http_uri; content:"&steam="; within:35; http_uri; content:"&origin="; within:10; http_uri; content:"&webnavig="; within:12; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; classtype:trojan-activity; sid:34292; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/get_status.php?name="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34307; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/products/fupdates.php?"; http_uri; content:"account="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34308; rev:1;)
@@ -3244,7 +3245,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/gget_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34316; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/aadd_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34317; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established; urilen:<130; content:".php?"; nocase; http_uri; content:"|3D|"; within:1; distance:1; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; nocase; http_header; content:!"|0D 0A|Accept-"; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header; content:"|3D|"; depth:2; offset:1; http_client_body; pcre:"/^[a-z]\x3d[a-f\d]{80,140}$/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:34318; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento remote code execution attempt"; flow:to_server,established; content:"/Adminhtml_"; http_uri; content:"forwarded="; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2015-1398; classtype:attempted-admin; sid:34365; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento remote code execution attempt"; flow:to_server,established; content:"/Adminhtml_"; http_uri; content:"forwarded="; distance:0; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2015-1398; classtype:attempted-admin; sid:34365; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Beebone outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|"; fast_pattern:only; content:"GET"; pcre:"/GET \/[a-z]{8,12}\?[a-z] HTTP\/1.1/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/b06c6ac1174a6992f423d935ccba6f34f107b6591768a743d44d66423312d33a/analysis/; classtype:trojan-activity; sid:34366; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:16; content:"/arquivo/vrs.txt"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34367; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:19; content:"/arquivo/cookie.txt"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34368; rev:1;)
@@ -3252,22 +3253,22 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"sname="; depth:6; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34453; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection"; flow:to_server,established; content:"POST / HTTP/1.0|0D 0A|Host: "; depth:28; content:"Content-type: application/x-www-form-urlencoded|0D 0A|Content-Length: "; within:100; content:"|0D 0A 0D 0A 0F 0F 09|"; within:25; fast_pattern; content:!"User-Agent: "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/file/9512cd72e901d7df95ddbcdfc42cdb16141ff155e0cb0f8321069212e0cd67a8/analysis/1430996623; classtype:trojan-activity; sid:34461; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| rv:7.0.1) Gecko/20100101 Firefox/7.0.1|0D 0A|"; fast_pattern:only; http_header; content:"Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.8,*/*|3B|q=0.9|0D 0A|"; http_header; content:"Accept-Language: en-us,en|3B|q=0.5|0D 0A|"; distance:0; http_header; content:"Accept-Encoding: gzip, deflate|0D 0A|"; distance:0; http_header; content:"Accept-Charset: ISO-8859-1,utf-8|3B|q=0.7,*|3B|q=0.7|0D 0A|"; distance:0; http_header; content:"Connection: close|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/file/84dfe2ac489ba41dfb25166a983ee2d664022bbcc01058c56a1b1de82f785a43/analysis/1430849540/; classtype:trojan-activity; sid:34462; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; dsize:16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; dsize:16; content:"|00 00 00 11 D0 00 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34501; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; isdataat:15; isdataat:!16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; isdataat:15; isdataat:!16; content:"|00 00 00 11 D0 00 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34501; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/popkx3/popi.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d6beeae945d570d98784bdea68310ddef17f4a03534632dec48c691677c67402/analysis/; classtype:trojan-activity; sid:34622; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - EMERY - Win.Trojan.W97M"; flow:to_server,established; content:"User-Agent|3A 20|EMERY|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d0f0a446162c6dafc58e4034f4879275d3766f20336b6998cb5a5779d995a243/analysis/; classtype:trojan-activity; sid:34843; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 03|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:34864; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 03|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:34864; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/vbulletin/post.php?qu="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1;)
 alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Critroni certificate exchange"; flow:to_client,established; content:"|00 D3 62 47 DA 62 4A A1 34|"; content:"|3B 02 49 86 4B DF D7 D7 6C E2 2F 36 81 01 24 3F|"; within:400; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/af7a9f581653394955bec5cf10a7dbafbf64f42d09918807274b5d25849a1251/analysis/; classtype:trojan-activity; sid:34917; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"ID_MAQUINA="; fast_pattern:only; http_client_body; content:"&VERSAO="; nocase; http_client_body; content:"&WIN="; within:50; nocase; http_client_body; content:"&NAVEGADOR="; within:200; nocase; http_client_body; content:"&PLUGIN="; within:50; nocase; http_client_body; content:"&AV="; within:50; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7816d2b6507950177cf1af596744abe523cad492f4d78e230962602b1b269044/analysis/; classtype:trojan-activity; sid:34931; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; content:"/prok/"; http_uri; content:"Content-Type: multipart/form-data, boundary=7DF051D"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/forum/image.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/38c7d403660c98ceb0246192d7d89cd66e126c6721008f6b347d4d53b4dc063b/analysis/; classtype:trojan-activity; sid:34958; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"texto=%0D%0A"; depth:12; http_client_body; content:"/consulta"; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33b598e185ba483c5c1571651a03b90359fb1f56b55e902c7038baf315c5dad9/analysis/; classtype:trojan-activity; sid:34959; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Sendori user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|Sendori-Client-Win32"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Sendori user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|Sendori-Client-Win32"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; urilen:43; content:"/imagens/nacional/new/1/2/3/br/contador.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34994; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra HTTP Header Structure"; flow:to_server,established; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".php HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; content:".php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34995; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent-ALPW variant outbound connection"; flow:to_server,established; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"A="; depth:2; http_client_body; content:".php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6452bea82dbef796eaed8d2403ffa7141e4379bb052fdb7b63a21400c04b0334/analysis/; classtype:trojan-activity; sid:34996; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant HTTP Response"; flow:to_client,established; dsize:<54; content:"HTTP/1.1 200 OK|0D 0A|Content-Length: "; content:"|0D 0A 0D 0A|session:"; within:15; fast_pattern; pcre:"/\r\n\r\nsession\x3a\d{1,7}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1ed49a78ee46c4a0d2eeb3b9ab707b40d3c87448c6f399d7fceefc0c16c66d38/analysis/; classtype:trojan-activity; sid:34997; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant HTTP Response"; flow:to_client,established; isdataat:!53; content:"HTTP/1.1 200 OK|0D 0A|Content-Length: "; content:"|0D 0A 0D 0A|session:"; within:15; fast_pattern; pcre:"/\r\n\r\nsession\x3a\d{1,7}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1ed49a78ee46c4a0d2eeb3b9ab707b40d3c87448c6f399d7fceefc0c16c66d38/analysis/; classtype:trojan-activity; sid:34997; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:9; content:"/diff.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35030; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/siganofi/rounder.php"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Pragma|3A| no-cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.www.virustotal.com/en/file/857ae380e297f840b88146ec042286ef459a1c4dc53680b117a9677b189e6c68/analysis/; classtype:trojan-activity; sid:35076; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif outbound connection"; flow:to_server,established; content:"/photoLibrary/?user="; http_uri; content:"&ver="; http_uri; content:"&os2="; fast_pattern:only; http_uri; content:"&type="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35312; rev:3;)
@@ -3280,24 +3281,24 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac payment page request"; flow:to_server,established; content:".php?user_code="; http_uri; content:"&user_pass="; fast_pattern:only; http_uri; content:"Referer|3A|"; http_header; content:"tor"; within:30; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35394; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:10; content:"/order.php"; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35549; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Potao outbound connection"; flow:to_server,established; content:"|3C|methodName|3E|10a7d030-1a61-11e3-beea-001c42e2a08b|3C 2F|methodName|3E|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88/analysis/; classtype:trojan-activity; sid:35733; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,59406; reference:cve,2013-3071; reference:url,osvdb.org/show/osvdb/92555; classtype:attempted-admin; sid:35734; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,59406; reference:cve,2013-3071; classtype:attempted-admin; sid:35734; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wild Neutron potential exploit attempt"; flow:to_server,established; urilen:>25; content:".swf?"; http_uri; content:"styleid="; distance:0; http_uri; content:"&langid="; distance:0; http_uri; content:"&sid="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:35745; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11; content:"/atomic.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/; classtype:trojan-activity; sid:35746; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.IsSpace outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/SNews.asp?HostID="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35749; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/STTip.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35750; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:35852; rev:6;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY OLE Document upload detected"; flow:to_server,established; file_data; content:"Content-Disposition|3A|"; nocase; content:"Form-data|3B|"; within:20; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:200; fast_pattern; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service http; classtype:misc-activity; sid:36058; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:35852; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY OLE Document upload detected"; flow:to_server,established; file_data; content:"Content-Disposition|3A|"; nocase; content:"Form-data|3B|"; within:20; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:200; fast_pattern; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:36058; rev:10;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"/rp?v="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:"&u="; http_uri; content:"&c="; within:3; distance:32; http_uri; content:"&f="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36064; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"/offers_new?v="; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"&a="; http_uri; content:"&i="; distance:0; http_uri; content:"&f="; distance:0; http_uri; content:"&u="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36065; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"windows="; depth:8; http_client_body; content:"&av="; within:50; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1fbe27602da7de2ce95254ffd409f70635179371354b4914997de273f6be9422/analysis/; classtype:trojan-activity; sid:36066; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV variant outbound connection"; flow:to_server,established; content:"/purchase.php?a="; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&u="; distance:0; http_uri; content:"&bgload="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f4c10d33b8c46cc7922a6eebc9f14858a01b2f573ee99dd1dc02a4534b537e18/analysis; classtype:trojan-activity; sid:36107; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nimisi variant outbound connection"; flow:to_server,established; content:!"User-Agent"; http_header; content:"/logs.php?&prog="; fast_pattern:only; http_uri; content:"&url="; http_uri; content:"&user="; distance:0; http_uri; content:"&pass="; distance:0; http_uri; content:"&comp="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a1f8f8b509001e5bca811a168455a89517000a2534d271018c0c87c6210bd69f/analysis/; classtype:trojan-activity; sid:36108; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes variant dropper"; flow:to_server,established; content:"/document.php?rnd="; fast_pattern:only; http_uri; content:"&id="; depth:4; offset:22; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ff0ae81f0dece17baf8480d866c9462c9f3d49be9adde8b16f105e244eb31d67/analysis/; classtype:trojan-activity; sid:36202; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30|"; within:1; distance:string_size; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30 82|"; within:2; distance:string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 02|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36612; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30|"; within:1; distance:string_size; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30 82|"; within:2; distance:string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 02|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36612; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-admin/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\.exe$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:36914; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter outbound connection"; flow:to_server,established; content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header; content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/e3da9c7f20e7f24891e0dec594dad6d9deebee145153611a5c05c69593284a27/analysis/; reference:url,www.virustotal.com/en/file/9d6b1bd74848dd0549ad3883b7292d3ba0a4fa06d0aaf562032b0bf6dc198249/analysis/; classtype:trojan-activity; sid:37045; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(base64_decode($_POST"; fast_pattern:only; http_client_body; metadata:impact_flag red, ruleset community, service http; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:37245; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(base64_decode($_POST"; fast_pattern:only; http_client_body; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1100; reference:url,attack.mitre.org/techniques/T1132; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:37245; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection"; flow:to_server,established; content:"/rss/feed/stream"; fast_pattern:only; http_uri; content:"|3F|"; depth:1; offset:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ADFAFFEA064A9F89064FBA300CDFCD7634CFD06802BF250FA1B070CABFBEBF5/analysis/; classtype:trojan-activity; sid:37467; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/Browser.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37521; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/Mail.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37522; rev:1;)
@@ -3308,8 +3309,8 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 # alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5;)
 # alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 1C 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex dropper variant outbound connection"; flow:to_server,established; content:"/gt.jpg?"; fast_pattern; http_uri; content:"="; within:1; distance:15; http_uri; content:"bytes=6433-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8a80760f60f42ce5574a8020c08123a6a8fc2a12d28e8802f3d5101f72c2ad0c/analysis/; classtype:trojan-activity; sid:37733; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08|"; distance:2; content:"|05|"; distance:4; content:"MERA RTU"; within:100; fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"EE|A8 C6|3"; within:80; content:"ooh323"; distance:6; fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08|"; distance:2; content:"|05|"; distance:4; content:"MERA RTU"; within:100; fast_pattern; metadata:policy max-detect-ips drop, ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"EE|A8 C6|3"; within:80; content:"ooh323"; distance:6; fast_pattern; metadata:policy max-detect-ips drop, ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:10; content:"post="; depth:5; fast_pattern; http_client_body; content:"/index.php"; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/522e5d4ea0771f5c0bc300c2d66a0445a66ae85bd4b50c21a502365db0a638d9/analysis/; classtype:trojan-activity; sid:37816; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/lockycrypt.rar"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37834; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/34gf5y/r34f3345g"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37835; rev:1;)
@@ -3320,34 +3321,34 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"POST"; http_method; content:"/login1.asp"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38258; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/main.php"; fast_pattern:only; http_uri; urilen:9,norm; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:10,>,95,0,relative,string,dec; byte_test:10,<,115,0,relative,string,dec; content:"Connection|3A 20|Keep-Alive|0D 0A|Cache-Control|3A 20|no-cache"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33ab0605b83356e065459559bb81ec5e7464be563059fce607760517fedaf603/analysis/; classtype:trojan-activity; sid:38331; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Bifrose outbound connection"; flow:to_server; content:"|9B 4F B0 75 E2 76 96 04 5A F1 F9 43 D4 A2 6B|"; depth:15; offset:4; content:"|76 13 85 45 17 1B|"; within:6; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0a0d7bed3c8aa0e0e87e484a37e62b0bd0e97981b0bea55f6f3607316831ba5d/analysis/; classtype:trojan-activity; sid:38333; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|43 00 00 00 05|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38353; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs"; flow:to_server,established; content:"|01 00 00 00 3C|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38354; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 01|"; depth:5; dsize:5; metadata:impact_flag red, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38355; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials"; flow:to_server,established; content:"|01 00 00 00 3D|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38357; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials"; flow:to_server,established; content:"|01 00 00 00 41|"; depth:5; dsize:<10; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38359; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|43 00 00 00 05|"; depth:5; isdataat:!79; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38353; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs"; flow:to_server,established; content:"|01 00 00 00 3C|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38354; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 01|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38355; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials"; flow:to_server,established; content:"|01 00 00 00 3D|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38357; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials"; flow:to_server,established; content:"|01 00 00 00 41|"; depth:5; isdataat:!9; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38359; rev:2;)
 alert tcp $EXTERNAL_NET 4043 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 06|Lisbon"; content:"|55 04 0A 0C 10|Souppi Otiop SEM"; distance:6; content:"|55 04 03 0C 0E|wthcethesmw.ph"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38378; rev:1;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_client,established; file_data; content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38379; rev:1;)
 alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_server,established; file_data; content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38380; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"USER obitex@benfoods.tk|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38385; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"PASS Goodman1986|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38386; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"STOR Screenshot from|3A 20|"; fast_pattern; content:"|29|.png"; within:80; metadata:impact_flag red, ruleset community, service ftp; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38387; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check"; flow:to_server,established; urilen:16; content:"/geoip/geoip.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38388; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"USER obitex@benfoods.tk|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38385; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"PASS Goodman1986|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38386; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"STOR Screenshot from|3A 20|"; fast_pattern; content:"|29|.png"; within:80; metadata:impact_flag red, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38387; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check"; flow:to_server,established; urilen:16; content:"/geoip/geoip.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38388; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; content:"|7C 7C|CM01|7C|CM02|7C|CM03|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/efd9036e675507da76cd0946408aedb814aff9da62d23de4f0680a4e7186a75c/analysis/1460471360/; classtype:trojan-activity; sid:38509; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/api?upload"; fast_pattern:only; http_uri; content:"Expect|3A 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/146889acc9c4a5dbda2de339320159560567b14f846653df727284076f092e63/analysis/1460466642/; classtype:trojan-activity; sid:38510; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/api?upload"; fast_pattern:only; http_uri; content:"Expect|3A 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/146889acc9c4a5dbda2de339320159560567b14f846653df727284076f092e63/analysis/1460466642/; classtype:trojan-activity; sid:38510; rev:2;)
 alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:9; content:"hi00"; fast_pattern:only; pcre:"/hi00[0-9]{5}/"; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38514; rev:3;)
 alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|39 64 30 33 66 65 66 35 30 30 62 39 30 30 34 36 32 37 31 31 30 33 32 35|"; fast_pattern:only; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38515; rev:3;)
 alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|61 63 36 62 66 34 64 30 66 35 36 30 30 30 34 36 32 37 31 31 30 33 39 39|"; fast_pattern:only; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38516; rev:3;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC binary download while video expected"; flow:to_client,established; content:"Content-Type|3A 20|video/quicktime|0D 0A 0D 0A|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38517; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive"; http_header; content:!"Accept"; http_header; content:!"Content-Type"; http_header; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"="; depth:4; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"<br><br><b><big>"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"JFIF"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established; content:".p HTTP/1.1"; fast_pattern:only; content:"/plugins/"; http_uri; pcre:"/\/plugins\/[a-z]{3,10}\.p/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established; content:"/post.php?"; fast_pattern:only; http_uri; content:"pl="; http_uri; content:"&education="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt"; flow:to_server,established; content:"HEAD"; http_method; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:!"Content-Length"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38565; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt"; flow:to_server,established; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:"If-Unmodified-Since"; http_header; content:"Range"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38566; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive"; http_header; content:!"Accept"; http_header; content:!"Content-Type"; http_header; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"="; depth:4; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"<br><br><b><big>"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"JFIF"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established; content:".p HTTP/1.1"; fast_pattern:only; content:"/plugins/"; http_uri; pcre:"/\/plugins\/[a-z]{3,10}\.p/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established; content:"/post.php?"; fast_pattern:only; http_uri; content:"pl="; http_uri; content:"&education="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt"; flow:to_server,established; content:"HEAD"; http_method; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:!"Content-Length"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38565; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt"; flow:to_server,established; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:"If-Unmodified-Since"; http_header; content:"Range"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38566; rev:2;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RFT document malformed header"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38580; rev:2;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RFT document malformed header"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38581; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection"; flow:to_server,established; content:"/img/script.php?"; fast_pattern:only; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"UA-CPU|3A 20|"; http_header; content:!"Referer"; http_header; content:!"Accept-Language"; http_header; pcre:"/\/img\/script\.php\x3f.*\.mov$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38584; rev:1;)
@@ -3355,7 +3356,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backd
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:>180,norm; content:"/api.php?d="; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38586; rev:2;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt"; flow:to_client,established; content:"307"; http_stat_code; content:"Temporary Redirect"; http_stat_msg; content:"Set-Cookie|3A 20|DFSCOOK="; fast_pattern:only; content:"Location: "; content:"/api.php?d="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38587; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:>185,norm; content:".php?d="; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; pcre:"/\.php\x3fd=[A-F0-9]{174}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38588; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bloomberg web crawler outbound connection"; flow:to_server,established; content:"User-Agent: BLP_bbot"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-transocean-earnings-leaked; classtype:misc-activity; sid:38594; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bloomberg web crawler outbound connection"; flow:to_server,established; content:"User-Agent: BLP_bbot"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-transocean-earnings-leaked; classtype:misc-activity; sid:38594; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UP007 variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.asp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"UP007"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma/; classtype:trojan-activity; sid:38603; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot variant network speed test"; flow:to_server,established; content:"/random750x750.jpg?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38606; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot variant outbound connection"; flow:to_server,established; urilen:30<>35,norm; content:"btst="; http_cookie; content:"snkz="; http_cookie; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38607; rev:3;)
@@ -3364,57 +3365,57 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|text/plain"; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38619; rev:5;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 0B|Ouagadougou"; content:"|55 04 0A 0C 16|Tiongon Wledb A.M.B.A."; distance:6; content:"|55 04 03 0C 10|ina.themanyag.zm"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38620; rev:1;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 09|Bujumbura"; content:"|55 04 0A 0C 10|Wiqur Hitin ehf."; distance:6; content:"|55 04 03 0C 11|puppeitursilth.cz"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38621; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bayrob variant outbound connection"; flow:to_server,established; dsize:8; content:"|4C 48 42 80 71 C2 A5 DF|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6b6b91cd104f4a6d32b5187131d9053911607672076e6ed26ed51369e5329cad/analysis/1462889491/; classtype:trojan-activity; sid:38886; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bayrob variant outbound connection"; flow:to_server,established; isdataat:7; isdataat:!8; content:"|4C 48 42 80 71 C2 A5 DF|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6b6b91cd104f4a6d32b5187131d9053911607672076e6ed26ed51369e5329cad/analysis/1462889491/; classtype:trojan-activity; sid:38886; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection"; flow:to_server,established; content:"/log.php?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header; content:"Accept|3A 20|*/*"; http_header; content:!"Referer"; http_header; pcre:"/\/log\.php\x3f[a-z]\x3d\d{3}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/11180a0ff4576e0dbbe48d77ed717e72678520516ff13f523cad832d1b9fa9ac/analysis/1462906326/; classtype:trojan-activity; sid:38887; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:13; content:"/userinfo.php"; fast_pattern:only; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2d766d57bc549b3ac7b87b604e2103318eaf41b526086ffe0201d5778521c1b6/analysis/1462906540/; classtype:trojan-activity; sid:38888; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kirts exfiltration attempt"; flow:to_server,established; content:".php?fname=Hawkeye_Keylogger"; fast_pattern:only; http_uri; content:"&data="; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38890; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kirts exfiltration attempt"; flow:to_server,established; content:".php?fname=Hawkeye_Keylogger"; fast_pattern:only; http_uri; content:"&data="; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38890; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Kirts initial registration"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?SGF3a0V5ZSBMb2dnZXIg"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38891; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt"; flow:to_server; file_data; content:"Passwords Recorded On "; fast_pattern; content:"Time of Recording:"; within:20; distance:22; content:"IP Address"; within:12; distance:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,virustotal.com/en/file/5780e8408c8d5c84d1fbe5c53eeb77832a6af54fd41fab7f720c89fc10989340/analysis/1463495191/; classtype:trojan-activity; sid:38950; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/installer.php?"; http_uri; content:"CODE="; fast_pattern:only; content:"UID="; http_uri; content:"action="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/optin.php?"; fast_pattern:only; http_uri; content:"f="; content:"quant="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/info.php?"; http_uri; content:"quant="; fast_pattern:only; content:"f="; http_uri; content:"h="; http_uri; content:"size="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953; rev:1;)
-alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*sleep\x28/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt"; flow:to_server; file_data; content:"Passwords Recorded On "; fast_pattern; content:"Time of Recording:"; within:20; distance:22; content:"IP Address"; within:12; distance:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/en/file/5780e8408c8d5c84d1fbe5c53eeb77832a6af54fd41fab7f720c89fc10989340/analysis/1463495191/; classtype:trojan-activity; sid:38950; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/installer.php?"; http_uri; content:"CODE="; fast_pattern:only; content:"UID="; http_uri; content:"action="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/optin.php?"; fast_pattern:only; http_uri; content:"f="; content:"quant="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/info.php?"; http_uri; content:"quant="; fast_pattern:only; content:"f="; http_uri; content:"h="; http_uri; content:"size="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953; rev:2;)
+alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*sleep\x28/Hi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:9;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection"; flow:to_server,established; urilen:<31; content:"Accept|3A 20|*/*|0D 0A|UA-CPU|3A 20|"; fast_pattern:only; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Accept-Encoding|3A 20|gzip, deflate|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\/[a-z0-9]{8,10}\x3f[A-Za-z]{7,10}\x3d[A-Za-z]{6,10}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0f8b6fd78c724b688f6467baf37f08c5ed198ea1b4224f31f50c8acbad49742/analysis/; classtype:trojan-activity; sid:39064; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|3B 00 00 00 05|"; depth:5; dsize:<65; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/5db3b9ce06e334cb61279dd936a40be75df6732228bb692a7a84b1299eb09071/analysis/1464362377/; classtype:trojan-activity; sid:39080; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|3B 00 00 00 05|"; depth:5; isdataat:!64; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/5db3b9ce06e334cb61279dd936a40be75df6732228bb692a7a84b1299eb09071/analysis/1464362377/; classtype:trojan-activity; sid:39080; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection"; flow:to_server,established; content:"=P4CK3T="; depth:32; content:"8_=_8"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39106; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection"; flow:to_client,established; content:"=P4CK3T="; depth:32; content:"8_=_8"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39107; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06 13 02|FR"; content:"|55 04 0A 13 0C|assylias.Inc"; distance:6; content:"|55 04 03 13 08|assylias"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/45e8df88b177cec3972f36284290eab652fb21806ef7e9575be853fb30528f28/analysis/; classtype:trojan-activity; sid:39159; rev:1;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06 13 02|US"; content:"|55 04 08 13 0A|California"; distance:6; content:"|55 04 07 13 0E|Redwood Shores"; distance:6; content:"|55 04 0A 13 14|Oracle America, Inc."; distance:6; content:"|55 04 0B 13 13|Code Signing Bureau"; distance:6; content:"|55 04 03 13 14|Oracle America, Inc."; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/9d54565f8fb7cf50df11bf9745f7efd04a49abb03e85a3aafbf9a5b5fcd065c9/analysis/; classtype:trojan-activity; sid:39160; rev:1;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|BN"; content:"|55 04 07 0C 13|Bandar Seri Begawan"; distance:6; content:"|55 04 0A 0C 12|Cowchi Aromep LTD."; distance:6; content:"|55 04 03 0C 17|tsre131.eollaieefi.jprs"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39163; rev:1;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|PW"; content:"|55 04 07 0C 08|Melekeok"; distance:6; content:"|55 04 0A 0C 0E|Merwh Whena NL"; distance:6; content:"|55 04 03 0C 16|pepa634.omeewengreq.mz"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39164; rev:1;)
-alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection"; flow:to_server,established; content:"=0D=0A=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"Computer Information"; content:"Username:"; within:30; content:"Installed"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39409; rev:1;)
-alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection"; flow:to_server,established; content:"=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"=0D=0ABrowser"; content:"=0D=0AWebsite"; within:70; content:"=0D=0AUsername"; within:70; content:"=0D=0APassword"; within:70; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39410; rev:1;)
+alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection"; flow:to_server,established; content:"=0D=0A=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"Computer Information"; content:"Username:"; within:30; content:"Installed"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39409; rev:2;)
+alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection"; flow:to_server,established; content:"=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"=0D=0ABrowser"; content:"=0D=0AWebsite"; within:70; content:"=0D=0AUsername"; within:70; content:"=0D=0APassword"; within:70; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39410; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qbot variant outbound connection"; flow:to_server,established; content:"zwlviewforumogaf.php"; fast_pattern:only; http_uri; content:"Host|3A| a.topgunnphoto.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480/analysis/1463667519/; classtype:trojan-activity; sid:39411; rev:1;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39526; rev:2;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39527; rev:2;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39528; rev:4;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39529; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00 00 00 27 C7 CC 6B C2 FD 13 0E|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39573; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00 00 00 D7 75 FF F7 C7 62 B9 82|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39574; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:68; content:"|40 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39575; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:36; content:"|20 00 00 00 AD|"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39576; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00 00 00 86 CC 02 89 8F F7 A6 67|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39577; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection"; flow:to_client,established; dsize:36; content:"|20 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39578; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:60; content:"|38 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39579; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:68; content:"|40 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39580; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection"; flow:to_server,established; dsize:60; content:"|38 00 00 00 F5 13 89 53|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39581; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt"; flow:to_client,established; dsize:36; content:"|20 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39582; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt"; flow:to_server,established; dsize:52; content:"|30 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39583; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 27 C7 CC 6B C2 FD 13 0E|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39573; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 D7 75 FF F7 C7 62 B9 82|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39574; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:67; isdataat:!68; content:"|40 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39575; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 AD|"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39576; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 86 CC 02 89 8F F7 A6 67|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39577; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection"; flow:to_client,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39578; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:59; isdataat:!60; content:"|38 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39579; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:67; isdataat:!68; content:"|40 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39580; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection"; flow:to_server,established; isdataat:59; isdataat:!60; content:"|38 00 00 00 F5 13 89 53|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39581; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt"; flow:to_client,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39582; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt"; flow:to_server,established; isdataat:51; isdataat:!52; content:"|30 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39583; rev:2;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zeus variant inbound connection"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"filename="; http_header; content:"/us.xml"; within:20; fast_pattern; http_header; content:"Content-Type|3A 20|application/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/292c12a4c9cf8724c7bfa9ec73e1b703bd51720ea18cd4528e9be516d05b5628/analysis/1468961317/; classtype:trojan-activity; sid:39705; rev:3;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type image containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|image/"; fast_pattern:only; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba42344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type image containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|image/"; fast_pattern:only; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba42344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt"; flow:to_server,established; content:"|0A|Proxy|3A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387; reference:cve,2016-5388; reference:url,httpoxy.org; classtype:web-application-attack; sid:39737; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trans variant outbound connection"; flow:to_server,established; content:"/site/images/banners/casecor21.gif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a4c1234bb748f9bcabeb9ab990614fd4c1035135c5f5068fd42bace4b75fff0e/analysis/; classtype:trojan-activity; sid:39738; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"GUID="; depth:122; http_client_body; content:"BUILD="; depth:122; http_client_body; content:"INFO="; depth:122; http_client_body; content:"IP="; depth:122; http_client_body; content:"TYPE="; depth:122; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48/analysis/1469201551/; classtype:trojan-activity; sid:39800; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 900 (msg:"MALWARE-CNC Win.Trojan.Spyrat variant outbound connection"; flow:to_server,established; content:"myversion|7C|2.5.2."; depth:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:39801; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:39903; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger |7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:39911; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:39903; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger |7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:39911; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:14; content:"/data/info.php"; fast_pattern:only; http_uri; content:"x-requested-with: XMLHttpRequest"; http_header; content:"Referer|3A| http|3A|"; http_header; content:"/data"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f29ce76169727ff5a43ef7baa5c4e04f7d3302189e3d2a31cfc9dec39e84ad03/analysis/; classtype:trojan-activity; sid:40011; rev:2;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox about field spoofing attempt"; flow:to_client,established; file_data; content:"about:"; fast_pattern; nocase; content:"?"; within:15; content:"<"; within:100; content:"location"; nocase; pcre:"/\babout:[a-z]+?\?[^\n]+?\</i"; metadata:ruleset community, service http; reference:cve,2016-5268; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/; classtype:attempted-user; sid:40015; rev:1;)
-alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:40035; rev:7;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:40036; rev:7;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:4;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:1;)
-alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:5;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox about field spoofing attempt"; flow:to_client,established; file_data; content:"about:"; fast_pattern; nocase; content:"?"; within:15; content:"<"; within:100; content:"location"; nocase; pcre:"/\babout:[a-z]+?\?[^\n]+?\</i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2016-5268; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/; classtype:attempted-user; sid:40015; rev:2;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:40035; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:40036; rev:10;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:5;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:2;)
+alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,attack.mitre.org/techniques/T1020; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:6;)
 alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5;)
 alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Perseus"; flow:to_server,established; content:"User-Agent|3A| bUQ8QmvUpI57udWFxQHPkuyKDfc3T8u5"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40251; rev:2;)
@@ -3429,42 +3430,42 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Android.Trojan.Sp
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getSMS command response"; flow:to_server,established; content:"|7C|ge|7C|t|7C|SM|7C|S|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40763; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getContacts command response"; flow:to_server,established; content:"send|7C|G|7C 7C|Cont|7C|acts|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40764; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/message.php"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|XMLHttpRequest|0D 0A|"; http_header; content:"Referer|3A 20|"; http_header; content:"Accept|3A 20|*/*|0D 0A|Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ab082d6047fb73b9de7ebc59fb12fa1f8c2d547949d4add3b7a573d48172889b/analysis/1479147777/; classtype:trojan-activity; sid:40816; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MindSpark framework installer attempt"; flow:to_server,established; content:"User-Agent|3A 20|Mindspark MIP "; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MindSpark framework installer attempt"; flow:to_server,established; content:"User-Agent|3A 20|Mindspark MIP "; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_houdini|0D 0A|"; depth:13; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40831; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt"; flow:to_client,established; dsize:23; content:"silence_keylogger|0D 0A|"; depth:19; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40832; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt"; flow:to_client,established; isdataat:22; isdataat:!23; content:"silence_keylogger|0D 0A|"; depth:19; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:40832; rev:4;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt"; flow:to_client; content:"screenshot_init|0D 0A|"; depth:17; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40833; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt"; flow:to_client; dsize:24; content:"silence_screenshot|0D 0A|"; depth:20; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40834; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt"; flow:to_client; isdataat:23; isdataat:!24; content:"silence_screenshot|0D 0A|"; depth:20; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40834; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt"; flow:to_client,established; content:"screen_thumb|0D 0A|"; depth:14; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40835; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt"; flow:to_client,established; dsize:23; content:"file_manager_"; depth:13; offset:4; pcre:"/file_manager_(init|root|faf)\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40836; rev:2;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sokuxuan outbound connection attempt"; flow:to_server,established; content:"/UpgSvr/"; fast_pattern:only; http_uri; content:".xml"; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839; rev:1;)
-# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840; rev:1;)
-# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841; rev:1;)
-# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt"; flow:to_client,established; isdataat:22; isdataat:!23; content:"file_manager_"; depth:13; offset:4; pcre:"/file_manager_(init|root|faf)\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40836; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sokuxuan outbound connection attempt"; flow:to_server,established; content:"/UpgSvr/"; fast_pattern:only; http_uri; content:".xml"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839; rev:2;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840; rev:2;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|"; content:"|22|params|22 3A|"; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841; rev:2;)
+# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842; rev:2;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".createElementNS"; content:"svg"; within:10; content:".setAttribute"; content:"begin"; within:15; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".pauseAnimations"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40888; rev:3;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".pauseAnimations"; fast_pattern:only; content:"svg"; nocase; content:"animate"; nocase; content:"begin"; within:50; nocase; content:"end"; within:50; nocase; content:".end"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40896; rev:3;)
 # alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; dsize:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; isdataat:24; isdataat:!25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt"; flow:to_server,established; content:"/apply_noauth.cgi"; depth:17; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41095; rev:5;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established; content:"/lang_check"; nocase; http_uri; content:"hidden_lang_avi="; nocase; http_client_body; isdataat:36,relative; content:!"&"; within:36; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10174; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41096; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/admin.php?f="; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|"; http_header; content:"MSIE 7.0|3B|"; http_header; content:"Accept|3A 20|*/*"; http_header; content:!"Accept-Language"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41334; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/checkupdate"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|"; http_header; content:"Referer"; http_header; content:"="; depth:15; http_client_body; content:"%"; within:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41335; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/checkupdate"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|"; http_header; content:"Referer"; http_header; content:"="; depth:15; http_client_body; content:"%"; within:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41335; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; content:"time|3A 20|"; fast_pattern:only; http_header; content:"User-Agent|3A 20|HttpEngine"; http_header; content:".do"; http_uri; pcre:"/\.(do|jar)$/Umi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41336; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; content:"GZIPOK|3A 20|"; fast_pattern:only; http_header; content:"CompGZ|3A 20|"; http_header; content:"ReqType|3A 20|"; http_header; content:".do"; http_uri; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41337; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_uri; content:"arg="; nocase; http_uri; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41346; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_raw_uri; content:"arg="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41347; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_client_body; content:"arg="; nocase; http_client_body; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/(^|&)arg=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41348; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_client_body; content:"arg"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/name\s*=\s*[\x22\x27]?arg((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41349; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 83|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41374; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|38 00 00 00 85|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41375; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 81|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41376; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco WebEx explicit use of web plugin"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only; http_uri; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:policy-violation; sid:41409; rev:3;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 83|"; depth:5; isdataat:!79; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41374; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|38 00 00 00 85|"; depth:5; isdataat:!79; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41375; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 81|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41376; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco Webex explicit use of web plugin detected"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:policy-violation; sid:41409; rev:6;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious user-agent string - X-Mas"; flow:to_server,established; content:"User-Agent|3A 20|Useragents"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41441; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Ransomware.X-Mas outbound connection"; flow:to_server,established; content:"WebKitFormBoundary"; content:"|20|form-data|3B 20|name=|22|uid|22|"; fast_pattern; content:"|20|form-data|3B 20|name=|22|uname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|cname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|ltime|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|uright|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|sysinfo|22|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41442; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"163="; http_client_body; content:"&x="; distance:0; http_client_body; content:"&z="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41443; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php?"; fast_pattern:only; http_uri; content:"|3C|br|3E 3C|br|3E 3C|b|3E 3C|big|3E 3C|font color=|22|"; http_client_body; content:"|22 3E 20 5B|"; within:12; http_client_body; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41444; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p="; http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D 0A|"; within:263; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"163="; http_client_body; content:"&x="; distance:0; http_client_body; content:"&z="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41443; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php?"; fast_pattern:only; http_uri; content:"|3C|br|3E 3C|br|3E 3C|b|3E 3C|big|3E 3C|font color=|22|"; http_client_body; content:"|22 3E 20 5B|"; within:12; http_client_body; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41444; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p="; http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D 0A|"; within:263; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[^\d&]/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41495; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/[?&]id=[^&]*?[^\d&]/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41496; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"|22|id|22|"; nocase; http_client_body; pcre:"/\x22id\x22\s*\x3A\s*\x22[^\x22]*?[^\d\x22]/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41497; rev:2;)
@@ -3477,8 +3478,8 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Downl
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41700; rev:3;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS"; flow:to_server,established; content:"User-Agent|3A| Microsoft BITS"; http_header; content:"Host|3A 20|xn--"; fast_pattern:only; http_header; pcre:"/(\x2ebat|\x2eexe)$/smiU"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:41710; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_slave|0D 0A|"; depth:11; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41711; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Houdini backdoor file download request"; flow:to_server,established; content:"/ChromeSetup.bat"; fast_pattern:only; http_uri; content:"User-Agent|3A| Microsoft BITS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41712; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke installation attempt detected"; flow:to_server,established; content:"/Install/InstallWizard.aspx"; fast_pattern:only; http_uri; content:"executeinstall"; http_uri; metadata:ruleset community, service http; reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777; classtype:attempted-admin; sid:41713; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Houdini backdoor file download request"; flow:to_server,established; content:"/ChromeSetup.bat"; fast_pattern:only; http_uri; content:"User-Agent|3A| Microsoft BITS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41712; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke installation attempt detected"; flow:to_server,established; content:"/Install/InstallWizard.aspx"; fast_pattern:only; http_uri; content:"executeinstall"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777; classtype:attempted-admin; sid:41713; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)
@@ -3493,20 +3494,20 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Troj
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; content:"Host: mbfce24rgn65bx3g."; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c1c31129a39441607c060a7da57855d3969cf47ce4119cda9beaf65b63faca60/analysis/; classtype:trojan-activity; sid:42059; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| WinHttpClient"; fast_pattern:only; http_header; content:"//Home/"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42128; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:established,to_server; dsize:12; content:"|7A 8D 9B DC|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42225; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:established,to_server; isdataat:11; isdataat:!12; content:"|7A 8D 9B DC|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42225; rev:4;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt"; flow:to_server,established; content:"|08 E0 00 00 00 00|"; depth:6; offset:4; content:"|0D 0A|"; within:2; distance:1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service rdp; reference:cve,2017-0176; reference:cve,2017-9073; reference:url,www.securitytracker.com/id/1038264; classtype:policy-violation; sid:42255; rev:4;)
-alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:13; offset:4; content:"|01 00 00 00 00 00 00 00|"; within:8; distance:38; content:"|00 00 00 00 00|"; within:5; distance:6; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441638.aspx; classtype:policy-violation; sid:42256; rev:4;)
-alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|42 00|"; within:2; distance:21; content:"|0E 00|"; within:2; distance:29; content:!"|00 00|"; within:2; flowbits:set,smb.trans2.mid66; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42331; rev:3;)
-alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant ping command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|41 00|"; within:2; distance:21; content:"|0E 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:29; flowbits:set,smb.trans2.mid65; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42332; rev:6;)
+alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:13; offset:4; content:"|01 00 00 00 00 00 00 00|"; within:8; distance:38; content:"|00 00 00 00 00|"; within:5; distance:6; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441638.aspx; classtype:policy-violation; sid:42256; rev:7;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|42 00|"; within:2; distance:21; content:"|0E 00|"; within:2; distance:29; content:!"|00 00|"; within:2; flowbits:set,smb.trans2.mid66; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1055; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42331; rev:4;)
+alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant ping command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|41 00|"; within:2; distance:21; content:"|0E 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:29; flowbits:set,smb.trans2.mid65; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42332; rev:7;)
 alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt"; flow:to_server,established; content:"|FF|SMB|A0|"; depth:5; offset:4; content:"|05 00|"; within:2; distance:64; byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42338; rev:3;)
 alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory"; flow:to_client,established; content:"Frag"; fast_pattern; content:"Free"; content:"|FA FF FF|"; content:"|F8 FF FF|"; within:3; distance:5; content:"|F8 FF FF|"; within:3; distance:5; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42339; rev:3;)
-# alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42340; rev:3;)
+# alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42340; rev:4;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:to_server,established; content:"856"; depth:3; offset:1; content:"856|9A F3 EC 89|"; within:7; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42398; rev:3;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt"; flow:to_client,established; file_data; content:"Error"; content:".toString.call"; within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx; classtype:attempted-admin; sid:42820; rev:2;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt"; flow:to_server,established; file_data; content:"Error"; content:".toString.call"; within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2017-0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx; classtype:attempted-admin; sid:42821; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"z9=base64%5fdecode"; fast_pattern:only; http_client_body; content:"=%40eval"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42834; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=edoced_46esab"; fast_pattern:only; http_client_body; content:"z0="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42835; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(get_magic_quotes_gpc()?stripslashes($_POST["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42836; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"z9=base64%5fdecode"; fast_pattern:only; http_client_body; content:"=%40eval"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42834; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=edoced_46esab"; fast_pattern:only; http_client_body; content:"z0="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42835; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(get_magic_quotes_gpc()?stripslashes($_POST["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42836; rev:3;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt"; flow:to_server,established; content:"/shell?"; fast_pattern:only; http_uri; urilen:>16,norm; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.pentestpartners.com/blog/pwning-cctv-cameras/; classtype:attempted-admin; sid:42857; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:established,to_server; content:"Connect.php?id="; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42880; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:to_server,established; content:"/JP-ja/js?"; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42881; rev:2;)
@@ -3516,34 +3517,34 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WashingTon ssl certificate negotiation attempt"; flow:to_server,established; content:"WashingTon"; fast_pattern:only; content:"WebMaster@Microsoft.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42885; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent Win.Trojan.Agent malicious user agent"; flow:to_server,established; content:"User-Agent|3A| HttpBrowser/1.0"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42886; rev:2;)
 alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; content:"|01 00 00 00 00|"; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:42944; rev:2;)
-alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:misc-activity; sid:43002; rev:4;)
-alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:misc-activity; sid:43003; rev:4;)
-alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:4;)
+alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43002; rev:8;)
+alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43003; rev:8;)
+alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kabob outbound connection"; flow:to_server,established; content:"@|E9 03 00 00 00 00 00 00 00 00 64|"; fast_pattern:only; http_client_body; pcre:"/\/\d{8}\/\w{4}\/[A-F0-9]{4}\/[A-F0-9]{4}\/[A-Z0-9\-_~]{12}\.[aj]sp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:43063; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|18 17 E9 E9 E9 E9|"; fast_pattern:only; isdataat:!7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43193; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|1B 17 E9 E9 E9 E9|"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43194; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.svn/entries file access attempt"; flow:to_server,established; content:"/.svn/entries"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43285; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/sh file access attempt"; flow:to_server,established; content:"/cgi-bin/sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43286; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/inetd.conf file access attempt"; flow:to_server,established; content:"/etc/inetd.conf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43287; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/motd file access attempt"; flow:to_server,established; content:"/etc/motd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43288; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/shadow file access attempt"; flow:to_server,established; content:"/etc/shadow"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43289; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ws_ftp.log file access attempt"; flow:to_server,established; content:"/ws_ftp.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:43290; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated application deployment attempt"; flow:to_server,established; content:"/soap/soaplet/soaprouter"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-1371; classtype:attempted-recon; sid:43291; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM database information request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43562; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user credentials request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43563; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user creation detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:43564; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER WSFTP IpSwitch custom SITE command execution attempt"; flow:to_server,established; content:"SITE SETC"; nocase; metadata:ruleset community, service ftp; reference:cve,2004-1885; classtype:attempted-admin; sid:43663; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.svn/entries file access attempt"; flow:to_server,established; content:"/.svn/entries"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:43285; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/sh file access attempt"; flow:to_server,established; content:"/cgi-bin/sh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:43286; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/inetd.conf file access attempt"; flow:to_server,established; content:"/etc/inetd.conf"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43287; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/motd file access attempt"; flow:to_server,established; content:"/etc/motd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43288; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/shadow file access attempt"; flow:to_server,established; content:"/etc/shadow"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43289; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ws_ftp.log file access attempt"; flow:to_server,established; content:"/ws_ftp.log"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:43290; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated application deployment attempt"; flow:to_server,established; content:"/soap/soaplet/soaprouter"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2001-1371; classtype:attempted-recon; sid:43291; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM database information request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43562; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user credentials request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43563; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user creation detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:43564; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER WSFTP IpSwitch custom SITE command execution attempt"; flow:to_server,established; content:"SITE SETC"; nocase; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:cve,2004-1885; classtype:attempted-admin; sid:43663; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt"; flow:to_server,established; content:"/cgi-bin/cgictl?action=setTaskSettings"; fast_pattern:only; http_uri; content:"settings={|22|"; nocase; http_client_body; content:"taskId="; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9810; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43809; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]reportId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43810; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId="; nocase; http_client_body; pcre:"/(^|&)reportId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43811; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?reportId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43812; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"scriptName="; nocase; http_uri; pcre:"/[?&]scriptName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9813; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-user; sid:43813; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"scriptName="; nocase; http_uri; pcre:"/[?&]scriptName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9813; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-user; sid:43813; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.XAgent outbound connection"; flow:to_server,established; content:"(unknown version)"; http_header; content:"Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; pcre:"/\/(search|find|results|open|search|close|watch)\/\x3f[a-zA-Z0-9]{2,8}\x3d/Ui"; content:!"Referer"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html; reference:url,download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf; classtype:trojan-activity; sid:43825; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:11,norm; content:"/api/status"; fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\x0a]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Him"; metadata:ruleset community, service http; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:43957; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:11,norm; content:"/api/status"; fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\x0a]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Him"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:43957; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary"; http_header; content:"name=|22|getconfig|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/01092ea6b5eb749254cf61a58c7c8fe5f6700197643271202fe420ac7cc68d1f/detection; classtype:trojan-activity; sid:43972; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; content:"did="; http_client_body; content:"/update/upfolder/updatefun.php"; fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43981; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; content:"did="; http_client_body; content:"/pockemon/squirtle/functions.php"; fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43982; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected"; flow:to_server,established; content:"download.conf"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2017-11587; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44004; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected"; flow:to_server,established; content:"download.conf"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2017-11587; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44004; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_uri; pcre:"/[?&]pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44005; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(^|&)pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:3;)
@@ -3556,19 +3557,19 @@ alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Tro
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-includes"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44470; rev:1;)
 alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; within:2; distance:13; content:"Let's Encrypt"; content:"gloverkentok.us"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/220a2b2d7353a697496abcabf1b4c1990b8c9b7143e6dada17782ddd9ee2c232; classtype:trojan-activity; sid:44591; rev:1;)
 alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; within:2; distance:13; content:"My Company Name LTD."; content:"domain.com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/00fa65c8fced0abfab3f544801014a349f7d960819d8d79c47abe090bd75ccfc; classtype:trojan-activity; sid:44592; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|"; depth:2; content:"|FF ED 00 00 00 00|"; distance:0; metadata:ruleset community; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|"; depth:2; content:"|FF ED 00 00 00 00|"; distance:0; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; content:"/QualityCheck/ni6.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dea4247e021eeeb1347ff269a357dee77e8ac1837383b0ef37fb123339639a1/analysis/; classtype:trojan-activity; sid:44652; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER NetSupport Manager RAT outbound connection detected"; flow:to_server,established; content:"User-Agent|3A| NetSupport Manager/"; fast_pattern:only; content:"CMD="; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; classtype:trojan-activity; sid:44678; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER NetSupport Manager RAT outbound connection detected"; flow:to_server,established; content:"User-Agent|3A| NetSupport Manager/"; fast_pattern:only; content:"CMD="; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; classtype:trojan-activity; sid:44678; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"currentsetting.htm"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44687; rev:3;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"todo=syscmd"; fast_pattern:only; content:"cmd="; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen variant outbound connection"; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:44689; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"$IFS"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:44698; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"${IFS}"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:44699; rev:2;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"$IFS"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:44698; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"${IFS}"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:44699; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; content:"User-Agent|3A|"; http_header; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; distance:0; fast_pattern; http_header; pcre:"/Win64\x3B\sx64\x29\x3B\s[0-9]{16}\w{16}\x0D\x0A/iH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:44762; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; content:"%D0%8BTl%DC"; depth:11; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack; classtype:trojan-activity; sid:44763; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase; http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase; http_uri; content:"button="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50; metadata:ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase; http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase; http_uri; content:"button="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information leak attempt"; flow:to_server,established; content:"/BRS_netgear_success.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-recon; sid:45001; rev:3;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45062; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45063; rev:2;)
@@ -3577,13 +3578,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; content:"public/Check_Exist.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45090; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; content:"username=MD5Sum"; fast_pattern:only; http_client_body; content:"password=MD5Sum"; http_client_body; content:"button=Login"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45091; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; content:"/insert/index?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"hst="; http_uri; content:"ttype="; http_uri; content:"state="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45092; rev:1;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server,no_stream; content:"M-SEARCH"; depth:9; content:"ssdp:all"; fast_pattern:only; detection_filter:track by_src,count 50,seconds 1; metadata:ruleset community, service ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; content:"/report/?application="; fast_pattern:only; http_uri; content:"guid="; http_uri; content:"details="; http_uri; content:"action="; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; urilen:>1000; content:"/click?h="; fast_pattern:only; http_uri; content:"subid="; http_uri; content:"data_fb="; http_uri; content:"data_rtt="; http_uri; content:"data_proto="; http_uri; content:"data_ic="; http_uri; content:"data_ss="; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server,no_stream; content:"M-SEARCH"; depth:9; content:"ssdp:all"; fast_pattern:only; detection_filter:track by_src,count 50,seconds 1; metadata:policy max-detect-ips drop, ruleset community, service ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:4;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; content:"/report/?application="; fast_pattern:only; http_uri; content:"guid="; http_uri; content:"details="; http_uri; content:"action="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; urilen:>1000; content:"/click?h="; fast_pattern:only; http_uri; content:"subid="; http_uri; content:"data_fb="; http_uri; content:"data_rtt="; http_uri; content:"data_proto="; http_uri; content:"data_ic="; http_uri; content:"data_ss="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER TrendMicro ServerProtect server configuration file download detected"; flow:to_server,established; content:"/activeupdate/ini_xml.zip"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2017-9035; reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities; classtype:attempted-recon; sid:45411; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER TrendMicro ServerProtect server configuration file download detected"; flow:to_server,established; content:"/activeupdate/ini_xml.zip"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2017-9035; reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities; classtype:attempted-recon; sid:45411; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_pattern:only; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[^&]{14}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Mughthesec outbound connection attempt"; flow:to_server,established; content:"/screens/"; fast_pattern; http_uri; content:"/"; within:1; distance:8; http_uri; content:"=="; within:2; distance:6; http_uri; metadata:ruleset community, service http; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:45545; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.SHLayer variant outbound connection"; flow:to_server,established; content:"/screens/"; nocase; http_uri; content:"/"; within:1; distance:8; http_uri; content:"=="; within:2; distance:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,objective-see.com/blog/blog_0x20.html; reference:url,www.virustotal.com/gui/file/f5d76324cb8fcae7f00b6825e4c110ddfd6b32db452f1eca0f4cff958316869c/detection; classtype:trojan-activity; sid:45545; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt"; flow:to_server,established; content:"/jsproxy"; depth:8; fast_pattern; nocase; http_uri; content:"|0D 0A|Content-Length: "; nocase; byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin; sid:45555; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45563; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; http_header; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A 0D 0A|"; http_header; content:!"Cookie:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45564; rev:3;)
@@ -3599,42 +3600,42 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Reveng
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check"; flow:to_server,established; content:"/index.php?udpool="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1;)
 alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|bin"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1;)
 alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|ping"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:1;)
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:1;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:2;)
 alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:127; content:"|FF FF FF FF|"; within:4; distance:123; byte_extract:4,28,ids; byte_test:4,=,ids,174,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,172,relative; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45977; rev:1;)
 alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:111; content:"|FA FF FF|"; within:3; distance:108; content:"|FA FF FF|"; distance:0; byte_extract:4,28,ids; byte_test:4,=,ids,242,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,240,relative; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45978; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection"; flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket"; fast_pattern:only; content:"|74 00 13|Lcom/net/LoginData"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45979; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45980; rev:1;)
-# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45980; rev:2;)
+# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen variant outbound communication"; flow:established,to_server; content:"/A56WY"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:46048; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"[^8]&&&"; fast_pattern:only; content:"[^8]&&&"; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46050; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt"; flow:to_server,established; content:"QDAwMD"; depth:6; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee45c721c2294aa36586206/detection; classtype:trojan-activity; sid:46051; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT"; flow:to_server,established; content:"User-Agent|3A| Uploador|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46052; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection"; flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri; content:"ball="; http_client_body; content:"score="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46066; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"pc="; http_client_body; content:"pc_data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46067; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"pc="; http_client_body; content:"pc_data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46067; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty module download request"; flow:to_server,established; content:"/football/download/"; depth:19; http_uri; content:!"User-Agent|3A|"; nocase; http_header; content:!"Accept|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46068; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty module request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"cnumber="; http_uri; content:"orname="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46069; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty file exfiltration outbound request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"id="; depth:3; http_client_body; content:"&pc="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46070; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty file exfiltration outbound request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"id="; depth:3; http_client_body; content:"&pc="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46070; rev:4;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|"; depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"action="; distance:0; http_uri; pcre:"/[?&](wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"action="; http_client_body; pcre:"/(^|&)(wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:2;)
-# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:2;)
-# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"action="; distance:0; http_uri; pcre:"/[?&](wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"action="; http_client_body; pcre:"/(^|&)(wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:3;)
+# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:3;)
+# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HW32 variant outbound connection"; flow:to_server,established; content:"Cpa=+EXEC+"; depth:10; http_client_body; content:"%27%2C%27"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0b2e8a9413d3b34d532d553922bd402830c1784302fc8ecaeeee17e826798d46/analysis/; classtype:trojan-activity; sid:46129; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; content:"remetente="; depth:10; fast_pattern; http_client_body; content:"&destinatario"; distance:0; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46136; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt"; flow:to_server,established; content:"POST /b/req/"; depth:12; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/octet-stream|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/"; within:103; distance:24; content:")|0D 0A|Host: "; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:46137; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:denial-of-service; sid:46287; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/Ii"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:denial-of-service; sid:46287; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow"; flow:to_server,established; content:"/cgi-bin/filemanager/wfm2Login.cgi"; fast_pattern:only; http_uri; content:"X-Forwarded-For"; nocase; http_raw_header; isdataat:90,relative; pcre:"/X-Forwarded-For:[^\n\r]{90}/Hsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.qnap.com/en/security-advisory/nas-201712-15; classtype:web-application-attack; sid:46301; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46305; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46306; rev:2;)
@@ -3642,20 +3643,20 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Cidox
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46308; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"p="; nocase; http_uri; isdataat:260,relative; pcre:"/[?&]p=[^&\s]{260}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46309; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; isdataat:35,relative; pcre:"/[?&]u=[^&\s]{35}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46310; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; content:"/administrator/components/com_joomlaupdate/restore.php"; fast_pattern:only; http_uri; content:"factory="; nocase; http_uri; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:ruleset community, service http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal 8 remote code execution attempt"; flow:to_server,established; content:"element_parents="; fast_pattern:only; http_uri; content:"#value"; http_uri; content:"drupal_ajax"; http_uri; pcre:"/(%23|#)(submit|validate|access_callback|pre_render|post_render|lazy_builder)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-7600; reference:url,www.drupal.org/sa-core-2018-002; classtype:attempted-admin; sid:46316; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; metadata:ruleset community; classtype:attempted-admin; sid:46317; rev:2;)
-# alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; metadata:ruleset community; classtype:attempted-admin; sid:46318; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:3;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; content:"/administrator/components/com_joomlaupdate/restore.php"; fast_pattern:only; http_uri; content:"factory="; nocase; http_uri; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal 8 remote code execution attempt"; flow:to_server,established; content:"element_parents="; fast_pattern:only; http_uri; content:"#value"; http_uri; content:"drupal_ajax"; http_uri; pcre:"/(%23|#)(submit|validate|access_callback|pre_render|post_render|lazy_builder|%6c%61%7a%79%5f%62%75%69%6c%64%65%72)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-7600; reference:url,www.drupal.org/sa-core-2018-002; classtype:attempted-admin; sid:46316; rev:4;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:46317; rev:3;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:46318; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/wlg_sec_profile_main.cgi"; fast_pattern:only; http_uri; content:"ssid="; nocase; http_client_body; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/fw_serv_add.cgi"; fast_pattern:only; http_uri; content:"userdefined="; nocase; http_client_body; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:2;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|"; fast_pattern:only; metadata:ruleset community, service ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:3;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Matrix outbound connection"; flow:to_server,established; content:"add.php?apikey="; http_uri; content:"&compuser="; http_uri; content:"&sid="; http_uri; content:"&phase="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,"www.virustotal.com/#/file/996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9/detection"; classtype:trojan-activity; sid:46339; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; content:"administrator/components/com_joomlaupdate/restoration.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:2;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php"; fast_pattern:only; content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:2;)
-# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase; content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase; content:"VERIFY="; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; content:"administrator/components/com_joomlaupdate/restoration.php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php"; fast_pattern:only; content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:3;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase; content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase; content:"VERIFY="; nocase; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:3;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376; rev:2;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:established,to_server; content:"IHkoeWRrcnkpIikqNy95ZCB5LSl5ZCB5"; depth:40; fast_pattern; http_client_body; content:!"Referer|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/fd08f6bc823cbfa495f0568ba4284e02f1cad57e56bd04ef0a0b948ea9dddee4/details; classtype:trojan-activity; sid:46378; rev:1;)
@@ -3670,8 +3671,8 @@ alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Vbs.
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A"; fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46437; rev:1;)
 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide"; within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46438; rev:1;)
 alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide"; within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46439; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration"; flow:established,to_server,only_stream; content:"GET /v1 HTTP/1.1"; depth:16; detection_filter:track by_src, count 3, seconds 6; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c/analysis/; classtype:trojan-activity; sid:46482; rev:3;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TwonkyMedia server directory listing attempt"; flow:to_server,established; content:"/rpc/dir"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2018-7171; classtype:web-application-attack; sid:46485; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration"; flow:established,to_server,only_stream; content:"GET /v1 HTTP/1.1"; depth:16; fast_pattern; content:"Connection: "; http_header; content:"User-Agent: "; http_header; content:"Accept-Encoding: "; http_header; content:"Accept-Language: "; http_header; content:"Host: "; http_header; detection_filter:track by_src,count 3,seconds 6; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c/analysis/; classtype:trojan-activity; sid:46482; rev:6;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TwonkyMedia server directory listing attempt"; flow:to_server,established; content:"/rpc/dir"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-7171; classtype:web-application-attack; sid:46485; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ammy heartbeat"; flow:to_server,established; content:"id="; depth:3; offset:5; content:"&os="; within:4; distance:8; content:"&priv="; distance:0; content:"&cred="; distance:0; content:"&pcname="; distance:0; content:"&build_time="; distance:0; fast_pattern; content:"&card="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46487; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ammy download attempt"; flow:to_server,established; content:"/q2/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&c="; http_uri; content:"&mk="; http_uri; content:"&il="; http_uri; content:"&vr="; http_uri; content:"&bt="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46488; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?&1001="; fast_pattern:only; http_uri; content:"99="; http_uri; content:"f1="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46501; rev:1;)
@@ -3684,8 +3685,8 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]url=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46515; rev:1;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_client_body; pcre:"/(^|&)url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46516; rev:1;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?url((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46517; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_uri; content:"v=1"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46518; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_client_body; content:"v=1"; nocase; http_client_body; metadata:ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46519; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_uri; content:"v=1"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46518; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_client_body; content:"v=1"; nocase; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46519; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload second stage download request"; flow:established,to_server; isdataat:!100; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3A 20|http"; http_header; content:".zip HTTP/1.1|0D 0A|Host|3A 20|"; fast_pattern:only; pcre:"/GET \/\w*.zip HTTP\/1.1\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:46611; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Unruy outbound callout"; flow:to_server,established; content:".php?q="; fast_pattern:only; http_uri; content:"Accept-Language: en-us"; http_header; content:"Accept-Encoding: gzip, deflate"; http_header; content:"Connection: Keep-Alive"; http_header; content:"Referer: http://www.google.com"; http_header; pcre:"/.php\?q=\d{1,4}\.\d{2,4}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.[0-9a-f]{64}\.1.\d{4,6}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46612; rev:1;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; content:"/DigitalGuardian/Management/ServerSettingsPDFTemplates.aspx"; fast_pattern:only; http_uri; content:"inputFilePath"; nocase; http_client_body; content:".asp"; distance:0; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]inputFilePath[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-10173; classtype:web-application-attack; sid:46665; rev:1;)
@@ -3701,7 +3702,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarall
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]command(\x5f|%5f)data=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46776; rev:1;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command"; nocase; http_client_body; pcre:"/(^|&)command(\x5f|%5f)data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46777; rev:1;)
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?command_data((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46778; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI database settings modification attempt"; flow:to_server,established; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtDBname=nagiosql"; nocase; metadata:ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46779; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI database settings modification attempt"; flow:to_server,established; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtDBname=nagiosql"; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46779; rev:2;)
 alert tcp $EXTERNAL_NET [443,8443] -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_client,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46782; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_server,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46783; rev:5;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string"; flow:to_server,established; content:"User-Agent|3A| Mozilla v5.1"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46785; rev:1;)
@@ -3719,8 +3720,8 @@ alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER DNS request for known malw
 # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt"; flow:to_server,established; content:"/getConfigExportFile.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-3813; classtype:attempted-user; sid:46817; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Satan outbound connection"; flow:to_server,established; content:"/data/token.php"; fast_pattern:only; http_uri; content:"status="; nocase; http_uri; content:"code="; nocase; http_uri; content:"Winnet Client"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46818; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Ransomware.Satan payload download"; flow:to_server,established; content:"/cab/sts.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46819; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt"; flow:to_server,established; content:"/DesktopModules/DreamSlider/DownloadProvider.aspx"; fast_pattern:only; nocase; http_uri; content:"file="; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:46824; rev:1;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"|00 00 A2 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:46827; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt"; flow:to_server,established; content:"/DesktopModules/DreamSlider/DownloadProvider.aspx"; fast_pattern:only; nocase; http_uri; content:"file="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46824; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"|00 00 A2 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00|"; depth:32; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:46827; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established; content:".NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length"; fast_pattern:only; http_header; urilen:<20; content:"/index.php"; http_uri; content:"POST"; http_method; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|"; http_header; content:!"Content-Type"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/analysis/; classtype:trojan-activity; sid:46839; rev:1;)
 # alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63 35|"; content:"|FC|"; within:50; pcre:"/([\xfc]).{0,50}([\x27])([\x20\x26\x3b\x7c]|[\x3c\x3e\x24]\x28)+/i"; metadata:policy max-detect-ips drop, ruleset community, service dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:46847; rev:1;)
 alert tcp $EXTERNAL_NET 20480 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.CowerSnail command and control response detected"; flow:to_client,established; content:"pk"; depth:2; content:"R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; content:"|00|a|00|r|00|g|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46872; rev:1;)
@@ -3734,8 +3735,8 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Troja
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=T&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46968; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autophyte dropper variant outbound connection"; flow:to_server,established; urilen:10; content:"/mainls.cs"; fast_pattern:only; http_uri; content:"Content-Type: application/octet-stream"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/086a50476f5ceee4b10871c1a8b0a794e96a337966382248a8289598b732bd47/detection; classtype:trojan-activity; sid:46969; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autophyte RAT variant outbound connection"; flow:to_server,established; content:"Content-Disposition: form-data|3B| name=|22|board_id|22|"; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|user_id|22|"; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|file1|22|"; http_client_body; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8/detection; reference:url,www.virustotal.com/#/file/e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292/detection; classtype:trojan-activity; sid:46970; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|02|"; within:1; distance:3; content:"|0C|Orcus Server"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/en/file/8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a/analysis/; classtype:trojan-activity; sid:46981; rev:1;)
 # alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"Microsoft Corp"; within:250; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:46983; rev:1;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000,5156,7218] (msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"POST /cl/uplod/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47005; rev:1;)
@@ -3744,17 +3745,17 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Spywa
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/show_new.php?"; fast_pattern:only; http_uri; content:"code="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47067; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/register.php?"; fast_pattern:only; http_uri; content:"p="; nocase; http_uri; content:"&code="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47068; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/update_new.php?"; fast_pattern:only; http_uri; content:"code="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47069; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installstarted"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/collect.php"; fast_pattern:only; http_uri; content:"pid="; http_uri; content:"cid="; http_uri; content:"sid="; http_uri; content:"act="; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:1;)
-# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installended"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installstarted"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/collect.php"; fast_pattern:only; http_uri; content:"pid="; http_uri; content:"cid="; http_uri; content:"sid="; http_uri; content:"act="; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installended"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:2;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound communication"; flow:to_server,established; content:"|B0 00 B0 00 B0 00 B0 00 26 00 26 00 26 00|"; depth:15; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47177; rev:1;)
 # alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound connection"; flow:to_server,established; content:"|50 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; isdataat:79,relative; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47178; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection"; flow:established,to_server; content:".php?"; http_uri; content:"=WyJ1cmw"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:47320; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri; content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:47338; rev:1;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt"; flow:to_client,established; content:"|00 AC D3 62 78 26 76 31 E5 E7 E5 1D C2 3C 15 40 25 2F 90 BD 1F 7F 0E 5E 33 77 EC 0C 1E 6B 61 47|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:47377; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt"; flow:to_server,established; content:"/ws_utc/css/config/keystore/"; fast_pattern:only; http_uri; content:".jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47386; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/options/general"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47387; rev:1;)
-# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/keystore"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47388; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt"; flow:to_client,established; content:"|00 AC D3 62 78 26 76 31 E5 E7 E5 1D C2 3C 15 40 25 2F 90 BD 1F 7F 0E 5E 33 77 EC 0C 1E 6B 61 47|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:47377; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt"; flow:to_server,established; content:"/ws_utc/css/config/keystore/"; fast_pattern:only; http_uri; content:".jsp"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47386; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/options/general"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47387; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/keystore"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47388; rev:2;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; content:"/calisto/upload.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47414; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; content:"/calisto/listenyee.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47415; rev:1;)
 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Mapoyun variant outbound connection attempt"; flow:to_server,established; content:"Connection:Close|3B|"; fast_pattern:only; http_header; content:"X-CA-"; nocase; http_header; content:!"User-Agent|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/34cbcbbbc4b538f30bc3d57dd587f1b604d29f113c149bf1ab53898464ad9c80/analysis/; classtype:trojan-activity; sid:47427; rev:2;)
@@ -3763,4 +3764,172 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD
 alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; content:"|2A 00 00 00|"; depth:4; isdataat:37,relative; isdataat:!38,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/#/file/108bbc4ff7b7da4f0de1225094964d03b19fc38b93933f739c475f08ae17915e/detection; classtype:trojan-activity; sid:47567; rev:2;)
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt"; flow:to_server,established; content:"/media/com_biblestudy/backup/"; fast_pattern:only; http_uri; content:".sql"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-recon; sid:47613; rev:1;)
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt"; flow:to_client,established; file_data; content:"|7B 22|line1|22 3A 22|"; depth:10; fast_pattern; content:"|22|line2|22 3A 22|"; within:30; distance:30; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/901d893f665c6f9741aa940e5f275952/detection; classtype:trojan-activity; sid:47627; rev:1;)
+# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS TXT response record tunneling"; flow:to_client; dsize:>300; content:"|00 10 00 01 00 00 00 00 01 00 FF|"; fast_pattern:only; detection_filter:track by_src, count 25, seconds 1; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47639; rev:2;)
+# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 07 06 03 55 04 06 13 00 31 09 30 07 06 03 55 04 08 13 00 31 09 30 07 06 03 55 04 07 13 00 31 09 30 07 06 03 55 04 0A 13 00 31 09 30 07 06 03 55 04 0B 13 00 31 09 30 07 06 03 55 04 03 13 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; classtype:misc-activity; sid:47640; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound beacon detected"; flow:to_server,established; content:"/dot.php"; fast_pattern:only; http_uri; content:"param="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5/analysis/; classtype:trojan-activity; sid:47650; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.MysteryBot outbound connection"; flow:to_server,established; content:"/site/gate.php?i=eyAiYWN0aW9uIjog"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/334f1efd0b347d54a418d1724d51f8451b7d0bebbd05f648383d05c00726a7ae/analysis/; classtype:trojan-activity; sid:47723; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server, established; content:"/private/"; fast_pattern; http_uri; content:".php"; distance:0; http_uri; content:"p="; http_client_body; content:"User-Agent:"; http_header; content:"Android"; within:100; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47876; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server, established; content:"/private/checkPanel.php"; fast_pattern:only; http_uri; content:"User-Agent:"; http_header; content:"Android"; within:100; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47877; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /tahw?"; fast_pattern:only; pcre:"/\x2ftahw\x3f[A-F0-9]{3,84}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47898; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /khc?"; fast_pattern:only; pcre:"/\x2fkhc\x3f[A-F0-9]{3,84}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47899; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /pser?"; fast_pattern:only; pcre:"/\x2fpser\x3f[A-F0-9]{3,84}(BBZ|BBY)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47900; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant outbound connection"; flow:to_server,established; content:"MS_D0wnl0ad3r"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47934; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_client,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r"; fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47935; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_server,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r"; fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47936; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"browser/Vivaldi.txtPK"; fast_pattern:only; http_client_body; content:"/Upload/"; http_uri; urilen:8; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48035; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Libs.zip"; fast_pattern:only; http_uri; urilen:9; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48036; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; content:"/image_download.php?uid="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/analysis; classtype:trojan-activity; sid:48092; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; content:"/search?gid="; fast_pattern:only; http_uri; content:"Accept:*/*"; http_header; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5/analysis; classtype:trojan-activity; sid:48093; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/dl.itranslator.info/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48115; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/gl.php?uid="; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&x="; within:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48116; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/ufiles/"; fast_pattern:only; http_uri; content:".dll"; http_uri; content:"UID: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48117; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48118; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48119; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/cfg?cb="; fast_pattern:only; http_uri; content:"&guid="; http_uri; content:"&uid="; distance:0; http_uri; content:"&ua="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48120; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.XAgent variant outbound connection"; flow:to_server,established; content:"&itwm="; fast_pattern:only; http_uri; pcre:"/&itwm=([a-z0-9\-\=]{1,50})/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6; classtype:trojan-activity; sid:48140; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/technet-support/library/online-service-description.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48764; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/advance/portable_version/service.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa; classtype:trojan-activity; sid:48765; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/pkg/image/do.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc; classtype:trojan-activity; sid:48766; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant payload download attempt"; flow:to_server,established; content:"/Templates/NormalOld.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/07646dc0a8c8946bb78be9b96147d4327705c1a3c3bd3fbcedab32c43d914305; classtype:trojan-activity; sid:48767; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8880] (msg:"MALWARE-CNC Js.Trojan.Agent variant outbound connection"; flow:established,to_server; content:"User-Agent|3A| xmsSofts_1.0.0_"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48818; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent variant inbound payload download"; flow:established,to_server; content:"/blogs/enc7.js"; fast_pattern:only; http_uri; urilen:14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48819; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/company-device-support/values/correlate-sec.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998; classtype:trojan-activity; sid:48844; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:".php?very="; fast_pattern:only; http_uri; content:"&xnvk="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48845; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:"User-Agent: usrnode/"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48846; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:"/qgHUDRZiYhOqQiN/kESklNvxsNZQcPl.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48847; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/foth1018/go.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48872; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/js/drv"; fast_pattern:only; http_uri; urilen:7; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/7d1e26a031db514dd8258de071b96dc57ebc31baf394129c020dd65b8acfc517; classtype:trojan-activity; sid:48873; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/ourtyaz/dwnack.php?cId="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c; classtype:trojan-activity; sid:48874; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/MarkQuality455/developerbuild.php?b="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7; classtype:trojan-activity; sid:48875; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/purchase61dfdusfdsu/costnbenifit8889.php?p="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f; classtype:trojan-activity; sid:48876; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/ourtyaz/qwe.php?TIe="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/172fb23460f34d174baa359c23d46d139fe30cd2d97b11b733aae496ab609c25; classtype:trojan-activity; sid:48877; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/winter/zxd.php?TIe="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e; classtype:trojan-activity; sid:48878; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/software-apptication/help-support-apl/getidpolapl.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48904; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Identification ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48984; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Init Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCI"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:48985; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48986; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48987; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48988; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48989; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48990; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48991; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48992; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNL"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48993; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48994; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48995; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNH"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48996; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48997; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48998; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48999; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Stop Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCS"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49000; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Start Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCR"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49001; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNH"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49002; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49003; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49004; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Reset Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCE"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49005; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNL"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49006; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49007; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Operands binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|4D|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49008; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49009; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49010; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Identification ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49011; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|44|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49012; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49013; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|04|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49014; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|0C|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49015; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49016; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49017; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49018; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RN"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49019; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49020; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49021; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49022; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49023; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49024; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49025; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49026; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49027; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49028; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SN"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49029; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Operands binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|CD|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49030; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|8C|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49031; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|C4|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49032; rev:2;)
+# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|84|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49033; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected"; flow:to_server,established; content:"User-Agent: SpellingChecker/22"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66; classtype:trojan-activity; sid:49042; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected"; flow:to_server,established; content:"User-Agent: LinqurySearch"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8; classtype:trojan-activity; sid:49043; rev:1;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected"; flow:to_server,established; content:"User-Agent: macsearch/1 CFNetwork/"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4; classtype:trojan-activity; sid:49044; rev:1;)
+alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt"; flow:to_server,established; content:"?misc="; fast_pattern:only; http_uri; content:"&dl="; http_uri; content:"/index.php/"; http_uri; content:!"Referer"; http_header; content:"POST"; http_method; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:49282; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId.php?q="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/dc64fec5e951acf298184be89cf89128550b318d719dcc8e2c3194ec3bdb340b; classtype:trojan-activity; sid:49396; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f617e805ccd0b1451e1f448d1328201d79cb846ba8b5b97221c26188fd1a1836; classtype:trojan-activity; sid:49397; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"S|00|e|00|m|00|i|00|n|00|a|00|r|00|_|00|2|00|0|00|1|00|8|00|_|00|1|00|.|00|A|00|O|00|-|00|A|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d; classtype:trojan-activity; sid:49398; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt"; flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-20377; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/; classtype:attempted-recon; sid:49418; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".png?ID="; fast_pattern:only; http_uri; content:"&MAC="; http_uri; content:"&OS="; http_uri; content:"&BIT="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49571; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".exez?ID="; fast_pattern:only; http_uri; content:"&GUID="; http_uri; content:"&_T="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49572; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/bbs/data/tmp/ping.php"; fast_pattern:only; http_uri; content:"word="; nocase; http_uri; content:"note="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49592; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/indox.php?v="; fast_pattern:only; http_uri; pcre:"/\/indox\.php\x3fv=(pp|pe|s)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49593; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:".php?file=Cobra_"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49594; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/board.php"; fast_pattern:only; http_uri; pcre:"/\/board\.php\?(m=[0-9A-F]{0,12}&)?(v=([abcef]|\d+\.\d+))/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49595; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|0D 0A|"; fast_pattern:only; content:"|20|/t"; depth:4; offset:3; content:".aspx?m="; within:20; content:!"Referer"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blogs.jpcert.or.jp/en/2018/11/tscookie2.html; classtype:trojan-activity; sid:49664; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6E 6E 69 6E 67 2E 2E 2E 00 20 3A 20 00 73 63 61 6E 20 66 69 6E 69 73 65 64 00 00 00 00 63 3A 2F 2E 6C 6F 67 00 77 61 72 6D 69 6E 67 20 75 70 2E 2E 2E 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49676; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation"; fast_pattern:only; content:"boost"; content:"BlockCipher"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49677; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation"; fast_pattern:only; content:"boost"; content:"BlockCipher"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49678; rev:1;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49679; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49680; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/feedbackinfo/production/"; fast_pattern:only; http_uri; content:"User-Agent: wget|0D 0A|"; http_header; content:"Referer:"; http_header; content:"/entry/feedbackinfo/production/"; within:100; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49788; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/updaterinfo.bin"; fast_pattern:only; http_uri; content:"User-Agent: wget|0D 0A|"; http_header; content:"Referer:"; http_header; content:"/updater/"; within:50; http_header; content:!"Accept-Encoding"; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49789; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/exe/runinfo"; fast_pattern:only; http_uri; content:"&mac="; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/entry/"; within:50; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49790; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php"; fast_pattern:only; http_uri; content:"down_url="; nocase; http_client_body; pcre:"/(^|&)down_url=[^&]*?(http|ftp)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49837; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php"; fast_pattern:only; http_uri; content:"down_url="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]down_url=[^&]*?(http|ftp)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49838; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; pcre:"/(^|&)file(name|path)=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49839; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file(name|path)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49840; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49841; rev:1;)
+# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file(name|path)((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49842; rev:1;)
+alert tcp any any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RDP MS_T120 channel bind attempt"; flow:to_server,established; content:"MS_T120|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service rdp; reference:cve,2019-0708; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708; classtype:attempted-admin; sid:50137; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; content:"/7773/index.php"; fast_pattern:only; http_uri; urilen:15; content:"&string="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/91637c3b2fdb9fe50e80dd872580856275eb0275e885fec4b47ffcbe7d724b61; classtype:trojan-activity; sid:50258; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; content:"/php/gate.php"; fast_pattern:only; http_uri; content:"key="; nocase; http_client_body; content:"&string="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50259; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; content:"/7773/plug/"; fast_pattern:only; http_uri; content:".ahk"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12; classtype:trojan-activity; sid:50260; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; content:"/?gate&hwid="; fast_pattern:only; http_uri; content:"&pwd="; http_uri; content:"pcuser"; distance:0; http_uri; content:"admin"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50261; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; content:"/7773/plug/htv/tv.dll"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/f64792324839f660b9bdfda95501a568c076641cf08ce63c1ddbe29b45623ac0; classtype:trojan-activity; sid:50262; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; content:"logincreds="; fast_pattern:only; http_client_body; content:"isAdmin="; http_client_body; content:"antivirus="; http_client_body; content:"commentary="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50263; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; content:"/7773/uploads/upload.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/43fbda74a65668333727c6512562db4f9e712cf1d5ad9dca8f06ae51bb937ba2; classtype:trojan-activity; sid:50264; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt"; flow:to_server,established; content:"/temporary_listen_addresses/smsservice"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild; reference:url,isc.sans.edu/diary/CVE-2019-0604+Attack/24952; classtype:trojan-activity; sid:50276; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt"; flow:to_server,established; content:"/temporary_listen_addresses/wsman"; fast_pattern:only; http_uri; content:"_reguestguid"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild; reference:url,isc.sans.edu/diary/CVE-2019-0604+Attack/24952; classtype:trojan-activity; sid:50277; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran"; flow:to_server,established; content:"User-Agent|3A 20|BURAN|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0bed6711e6db24563a66ee99928864e8cf3f8cff0636c1efca1b14ef15941603/analysis/; classtype:trojan-activity; sid:50424; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; content:".exe"; fast_pattern:only; http_uri; urilen:6; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8; classtype:trojan-activity; sid:50445; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; content:"/get.php?pid="; fast_pattern:only; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8; classtype:trojan-activity; sid:50446; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 65314 (msg:"MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection"; flow:to_server,established; content:"|01 00 10|"; depth:3; content:"|00 12 5C|"; within:3; distance:9; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/gui/file/bd8b1bd06817772af89d93a1789d5df13e15136e53a6af60be0900986c56234f/detection; classtype:trojan-activity; sid:50811; rev:1;)
+# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER OpenBSD ISAKMP denial of service attempt"; flow:to_server; content:"|6C 6A CD CF B8 41 3F F8 00 00 00 00 00 00 00 00 01 10 04 01 00 00 00 00 00 00 00 1C|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0222; classtype:denial-of-service; sid:50901; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection"; flow:to_server,established; content:"/wp-content/plugins/WPSecurity/load.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2922662802eed0d2300c3646a7a9ae73209f71b37ab94b25e6df57f6aed7f23e/analysis/; classtype:trojan-activity; sid:50989; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt"; flow:to_server,established; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|"; fast_pattern:only; http_header; content:"/ua.aspx"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:trojan-activity; sid:51368; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt"; flow:to_server,established; content:"/recv_android.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2bbd16a5c6e8f59cc221500b680af434785611de1194216d47ef10c52b2032e1/analysis/; classtype:trojan-activity; sid:51484; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection"; flow:to_server,established; content:"ProClient.Data"; fast_pattern:only; content:"Clientx|2C 20|Version="; nocase; content:"data|05|bytes"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection; classtype:trojan-activity; sid:51532; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection"; flow:to_client,established; content:"BlackRAT.Data"; fast_pattern:only; content:"|2C 20|Version="; nocase; content:"data|05|bytes"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection; classtype:trojan-activity; sid:51533; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"User-Agent|3A 20|Installer/23"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51541; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/webkit_login_records"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51542; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"PATCH"; http_method; content:"/installers/"; http_uri; content:"X-Installer-"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51543; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/upload_files"; http_uri; content:"X-File-Name:"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51544; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/tasks"; http_uri; content:"X-Finder-"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51545; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/webkit_cookies"; http_uri; content:"X-Finder-"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51546; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey botnet outbound connection"; flow:to_server,established; content:"bi="; fast_pattern:only; http_client_body; content:"/index.php"; nocase; http_uri; content:"id="; nocase; http_client_body; content:"sd="; nocase; http_client_body; content:"vs="; nocase; http_client_body; content:"ar="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/gui/file/ea09fb5b9c31bbf5817f22634f0ad837605a3352df099690d5e3a948bb719e83; classtype:trojan-activity; sid:51636; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Gmera variant outbound connection"; flow:to_server,established; content:"/link.php?"; depth:13; fast_pattern; http_uri; content:"User-Agent: curl/"; http_header; content:!"Referer"; nocase; http_header; pcre:"/^\/link\.php\?.{4,20}&\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/18e1db7c37a63d987a5448b4dd25103c8053799b0deea5f45f00ca094afe2fe7/analysis/; classtype:trojan-activity; sid:51642; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Silence variant outbound connection detected"; flow:to_server,established; content:"/showthread.php?"; fast_pattern:only; http_uri; content:"alphayz="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/gui/file/793b0dea13a1934f3a81d348ca8cb033da908a74feed5a37a3ccc9cb08cf31f1/detection; classtype:trojan-activity; sid:51670; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Silence variant outbound connection detected"; flow:to_server,established; content:"/showthread.php?yz="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/gui/file/793b0dea13a1934f3a81d348ca8cb033da908a74feed5a37a3ccc9cb08cf31f1/detection; classtype:trojan-activity; sid:51671; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,10011] (msg:"MALWARE-CNC Andr.Trojan.Moonshine outbound connection"; flow:established,to_server; content:"User-Agent: hots scot"; fast_pattern:only; content:"/ws?"; nocase; content:"whisky_id="; nocase; content:"device_id="; nocase; content:"Upgrade: websocket"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6977e6098815cd91016be9d76f194ed4622640d03c6cdd66b1032306a2190af7/analysis/; classtype:trojan-activity; sid:51672; rev:1;)
+# alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63|"; content:"|27|"; distance:0; content:"|23|"; within:254; pcre:"/\x63\x82\x53\x63.+?[\x0c-\xfe][\x05-\xff][\x20-\x7f]{0,250}\x27[\x20-\x7f]{3,250}\x23/s"; metadata:policy max-detect-ips drop, ruleset community, service dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:52022; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Xml.Phishing.Evernote outbound connection"; flow:to_server,established; content:"_spacertoofee="; fast_pattern:only; http_uri; content:"hondacbrheavy"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26f541b6e334574311c168af5d84b2d6887115bbff33ae5b45d28b0f66901b87/analysis/; classtype:misc-activity; sid:52026; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Xml.Phishing.Evernote outbound connection"; flow:to_server,established; content:"_truthcolor="; fast_pattern:only; http_uri; content:"dramafrine"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/50d0c853da4e7d2226d70e136d6e88e8e3841cc67a85df976d1bdf7084571a60/analysis/; classtype:misc-activity; sid:52027; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"ZM"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:52056; rev:3;)
+alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"ZM"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:52057; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.FakeUpdate outbound connection"; flow:to_server,established; content:"POST /1x1.png HTTP/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/8035806fc7109137ab55d39046ad9e010597bf5390b2e82740add8d1749edaf3; classtype:trojan-activity; sid:52259; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT inbound connection"; flow:to_client,established; isdataat:!12; content:"|7C 30 7C A1 40 23 40 21|"; depth:8; offset:3; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a/detection; classtype:trojan-activity; sid:52548; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT outbound connection"; flow:to_server,established; isdataat:!11; content:"|7C|root|7C|"; depth:6; offset:3; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a/detection; classtype:trojan-activity; sid:52549; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; within:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)
+alert tcp any any -> $HOME_NET 8009 (msg:"SERVER-APACHE Apache Tomcat AJP connector arbitrary file access attempt"; flow:to_server,established; content:"|12 34|"; depth:2; content:"|02|"; within:1; distance:2; byte_test:1,!&,0xF9,0,relative; byte_extract:2,1,protocol_len,relative; content:"HTTP"; within:protocol_len; nocase; content:"javax.servlet.include.request_uri|00|"; fast_pattern:only; content:"javax.servlet.include.servlet_path|00|"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2020-1938; classtype:attempted-user; sid:53341; rev:2;)
+# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_server,established; flowbits:isset,file.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; fast_pattern:only; content:"6269747361646d696e"; nocase; metadata:impact_flag red, ruleset community, service smtp; classtype:trojan-activity; sid:53582; rev:2;)
+# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_client,established; flowbits:isset,file.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; fast_pattern:only; content:"6269747361646d696e"; nocase; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:53583; rev:2;)
+# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Accept: */*|0D 0A|Referer:"; fast_pattern:only; http_header; urilen:<6; content:"Connection: close|0D 0A|Content-Length:"; http_header; content:"Cache-Control: no-cache|0D 0A|Origin:"; http_header; content:"POST"; http_method; content:"="; depth:10; http_client_body; isdataat:300,relative; content:!"="; distance:0; http_client_body; pcre:"/\x2f[a-z0-9]{2,3}\x2f/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:53584; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; content:"*dJU!*JE&!M@UNQ@"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/gui/file/d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3/detection; classtype:trojan-activity; sid:54053; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; content:"t34kjfdla45l"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/gui/file/b4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba/detection; classtype:trojan-activity; sid:54054; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; content:"_webident_f"; fast_pattern:only; http_client_body; content:"_webident_s"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/gui/file/0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e/detection; classtype:trojan-activity; sid:54055; rev:1;)
 
diff --git a/snort/data/snort.conf b/snort/data/snort.conf
index 8b17e33..75c6e95 100644
--- a/snort/data/snort.conf
+++ b/snort/data/snort.conf
@@ -521,8 +521,8 @@ preprocessor reputation: \
 # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
 
 # Additional configuration for specific types of installs
-# output alert_unified2: filename snort.alert, limit 128, nostamp
-# output log_unified2: filename snort.log, limit 128, nostamp 
+output alert_unified2: filename snort.alert, limit 128
+output log_unified2: filename snort.log, limit 128
 
 # syslog
 # output alert_syslog: LOG_AUTH LOG_ALERT
diff --git a/snort/data/u2json.conf b/snort/data/u2json.conf
new file mode 100644
index 0000000..a04dcb3
--- /dev/null
+++ b/snort/data/u2json.conf
@@ -0,0 +1,7 @@
+--snort-conf=/etc/snort/snort.conf
+--directory=/var/log/snort
+--prefix=snort.alert
+--follow
+--bookmark
+--delete
+--output=/var/log/snort/alert.json
diff --git a/snort/docker-compose.yml b/snort/docker-compose.yml
index f01d4d2..bd9175c 100644
--- a/snort/docker-compose.yml
+++ b/snort/docker-compose.yml
@@ -1,8 +1,9 @@
 snort:
   image: vimagick/snort
-  command: -q -c /etc/snort/snort.conf -A fast -y -i eth0
+  command: -q -c /etc/snort/snort.conf -y -i eth0
   volumes:
     - ./data/snort.conf:/etc/snort/snort.conf
+    - ./data/u2json.conf:/etc/snort/u2json.conf
     - ./data/rules:/etc/snort/rules
     - ./data/log:/var/log/snort
   cap_add: