emerging-policy.rules

# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2019, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced.

#alert udp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud";  metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010816; classtype:misc-activity; sid:2010816; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000421; classtype:misc-activity; sid:2000421; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000422; classtype:misc-activity; sid:2000422; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000426; classtype:misc-activity; sid:2000426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex; content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000428; classtype:misc-activity; sid:2000428; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000489; classtype:misc-activity; sid:2000489; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000429; classtype:misc-activity; sid:2000429; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Reserved Internal IP Traffic"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002752; classtype:bad-unknown; sid:2002752; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; reference:url,doc.emergingthreats.net/2009798; classtype:policy-violation; sid:2009798; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001239; classtype:not-suspicious; sid:2001239; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001240; classtype:not-suspicious; sid:2001240; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Club World Casino Client in Use"; flow:established,to_server; dsize:23; content:"Club World Casinos"; reference:url,doc.emergingthreats.net/2007754; classtype:policy-violation; sid:2007754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; classtype:policy-violation; sid:2001376; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001378; classtype:policy-violation; sid:2001378; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001379; classtype:policy-violation; sid:2001379; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001380; classtype:policy-violation; sid:2001380; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001381; classtype:policy-violation; sid:2001381; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001382; classtype:policy-violation; sid:2001382; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001383; classtype:policy-violation; sid:2001383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{6} \d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009293; classtype:policy-violation; sid:2009293; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; classtype:bad-unknown; sid:2002676; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; reference:url,doc.emergingthreats.net/2001294; classtype:successful-admin; sid:2001294; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET POLICY SMTP Executable attachment"; flow:established,to_server; content:"filename="; nocase; content:".exe"; nocase; distance:0; pcre:"/filename=\s*[^\n]+\.exe/i"; reference:url,doc.emergingthreats.net/2003325; classtype:policy-violation; sid:2003325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,established; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; reference:url,doc.emergingthreats.net/2003303; classtype:misc-activity; sid:2003303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Administrator Login Attempts"; flow:to_server,established; content:"USER Administrator|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009667; classtype:attempted-admin; sid:2009667; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Admin Login Attempts"; flow:to_server,established; content:"USER Admin|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009668; classtype:attempted-admin; sid:2009668; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (TYPE A)"; flow:established,to_server; dsize:6; content:"TYPE "; depth:5; reference:url,doc.emergingthreats.net/2008589; classtype:trojan-activity; sid:2008589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (PASV)"; flow:established,to_server; dsize:4; content:"PASV"; reference:url,doc.emergingthreats.net/2008590; classtype:trojan-activity; sid:2008590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; classtype:bad-unknown; sid:2009243; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET !$HTTP_PORTS (msg:"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port"; flow:to_server,established; content:"CONNECT "; nocase; depth:8; content:" HTTP/1."; nocase; within:1000; reference:url,doc.emergingthreats.net/2008284; classtype:misc-activity; sid:2008284; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access"; flow:established,to_server; content:"GET /login/FetchProtocolVersion2.htm"; depth:36; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008842; classtype:policy-violation; sid:2008842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download)"; flow:established,to_server; content:"GET login/fetchFreeServersVersion2.aspx"; depth:39; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008843; classtype:policy-violation; sid:2008843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002330; classtype:policy-violation; sid:2002330; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; reference:url,doc.emergingthreats.net/2000356; classtype:misc-activity; sid:2000356; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002722; classtype:policy-violation; sid:2002722; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002723; classtype:policy-violation; sid:2002723; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"ET POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; reference:url,doc.emergingthreats.net/2003155; classtype:misc-activity; sid:2003155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; reference:url,doc.emergingthreats.net/2001597; classtype:policy-violation; sid:2001597; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001977; classtype:misc-activity; sid:2001977; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:7; metadata:created_at 2010_07_30, updated_at 2017_02_01;)

#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001983; classtype:misc-activity; sid:2001983; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration"; flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; classtype:policy-violation; sid:2009895; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; reference:url,doc.emergingthreats.net/2010767; classtype:bad-unknown; sid:2010767; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Successful"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSvnc.auth.agreed; flowbits:unset,BSis.vnc.setup; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002922; classtype:not-suspicious; sid:2002922; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Failure"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 01|"; depth:4; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002920; classtype:attempted-admin; sid:2002920; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003026; classtype:not-suspicious; sid:2003026; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg:"ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2004598; classtype:not-suspicious; sid:2004598; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003027; classtype:not-suspicious; sid:2003027; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003028; classtype:not-suspicious; sid:2003028; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003029; classtype:not-suspicious; sid:2003029; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8443 (msg:"ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003030; classtype:not-suspicious; sid:2003030; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 2967 (msg:"ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003033; classtype:not-suspicious; sid:2003033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003035; classtype:not-suspicious; sid:2003035; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003036; classtype:not-suspicious; sid:2003036; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8292 (msg:"ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003037; classtype:not-suspicious; sid:2003037; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 8294 (msg:"ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003038; classtype:not-suspicious; sid:2003038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1521 (msg:"ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003934; classtype:not-suspicious; sid:2003934; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 995 (msg:"ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2008543; classtype:not-suspicious; sid:2008543; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port TLS"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|01|"; within:6; content:"|03 01|"; within:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003002; classtype:unusual-client-port-connection; sid:2003002; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 00|"; depth:3; content:"|01|"; within:2; content:"|03 00|"; within:3; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003003; classtype:unusual-client-port-connection; sid:2003003; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port Case 2"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 01|"; depth:5; offset:2; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003004; classtype:unusual-client-port-connection; sid:2003004; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 00|"; depth:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003005; classtype:unusual-client-port-connection; sid:2003005; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 01 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003008; classtype:unusual-client-port-connection; sid:2003008; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 00 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003009; classtype:unusual-client-port-connection; sid:2003009; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; depth:3; content:"|02|"; within:6; content:"|03 01|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003010; classtype:unusual-client-port-connection; sid:2003010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; depth:3; content:"|02|"; within:6; content:"|03 00|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003011; classtype:unusual-client-port-connection; sid:2003011; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003014; classtype:unusual-client-port-connection; sid:2003014; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003015; classtype:unusual-client-port-connection; sid:2003015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 01 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003018; classtype:unusual-client-port-connection; sid:2003018; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 00 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003019; classtype:unusual-client-port-connection; sid:2003019; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003020; classtype:unusual-client-port-connection; sid:2003020; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 00|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003021; classtype:unusual-client-port-connection; sid:2003021; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (dashed)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; reference:url,doc.emergingthreats.net/2001328; classtype:policy-violation; sid:2001328; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (spaced)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; reference:url,doc.emergingthreats.net/2001384; classtype:policy-violation; sid:2001384; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN )"; content:"SSN "; nocase; pcre:"/SSN ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007971; classtype:policy-violation; sid:2007971; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN# )"; content:"SSN# "; nocase; pcre:"/SSN# ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007972; classtype:policy-violation; sid:2007972; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY RemoteControlX rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html; reference:url,doc.emergingthreats.net/2010782; classtype:suspicious-filename-detect; sid:2010782; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...)"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010570; classtype:policy-violation; sid:2010570; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...)"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010571; classtype:policy-violation; sid:2010571; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...)"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010572; classtype:policy-violation; sid:2010572; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...)"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010573; classtype:policy-violation; sid:2010573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...)"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010574; classtype:policy-violation; sid:2010574; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...)"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010575; classtype:policy-violation; sid:2010575; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...)"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010576; classtype:policy-violation; sid:2010576; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...)"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010577; classtype:policy-violation; sid:2010577; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010581; classtype:policy-violation; sid:2010581; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010582; classtype:policy-violation; sid:2010582; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010583; classtype:policy-violation; sid:2010583; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010584; classtype:policy-violation; sid:2010584; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010585; classtype:policy-violation; sid:2010585; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010586; classtype:policy-violation; sid:2010586; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010587; classtype:policy-violation; sid:2010587; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010588; classtype:policy-violation; sid:2010588; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010589; classtype:policy-violation; sid:2010589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010590; classtype:policy-violation; sid:2010590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET POLICY X-Box Live Connecting"; content:"<Xbox Version="; content:" Title=0x"; distance:4; within:32; reference:url,www.microsoft.com/xbox/; reference:url,doc.emergingthreats.net/2002796; classtype:policy-violation; sid:2002796; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED DOC in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; reference:url,doc.emergingthreats.net/2001402; classtype:not-suspicious; sid:2001402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED XLS in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; reference:url,doc.emergingthreats.net/2001403; classtype:not-suspicious; sid:2001403; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED EXE in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2001404; classtype:not-suspicious; sid:2001404; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any any (msg:"ET POLICY ZIPPED PPT in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; reference:url,doc.emergingthreats.net/2001405; classtype:not-suspicious; sid:2001405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) SMTP"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010591; classtype:policy-violation; sid:2010591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail Message Send"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000044; classtype:policy-violation; sid:2000044; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail General Page View"; flow:to_server,established; content:"/ym/login"; http_uri; nocase; content:".rand="; nocase; reference:url,doc.emergingthreats.net/2000341; classtype:policy-violation; sid:2000341; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris HelpDesk"; flow:to_server,established; content:"/aexhd/worker/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009696; classtype:misc-activity; sid:2009696; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris Console"; flow:to_server,established; content:"/altiris/ns/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009697; classtype:misc-activity; sid:2009697; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 4 download"; flow:established; content:"REGEDIT4"; content:"|0D 0A|"; distance:0; content:"["; distance:0; content:"HKEY_"; distance:0; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000420; classtype:misc-activity; sid:2000420; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MSI (microsoft installer file) download"; flow:established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001115; classtype:bad-unknown; sid:2001115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:" 200 Connection established|0d 0a|Proxy-agent|3a| CCProxy "; depth:58; reference:url,www.youngzsoft.net; reference:url,doc.emergingthreats.net/bin/view/Main/2007576; classtype:trojan-activity; sid:2007576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY route1.com SSL certificate for remote access detected"; flow:established,to_client; content:"Route1 Security Corporation"; nocase; metadata: former_category POLICY; classtype:bad-unknown; sid:2011579; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2010_09_27, updated_at 2017_10_12;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"PCA"; within:50; classtype:not-suspicious; sid:2011539; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15|"; classtype:not-suspicious; sid:2011525; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Login"; flow: to_server,established; content:"/login/login.psp?siteId="; http_uri; content:"triedAimAuth"; reference:url,doc.emergingthreats.net/bin/view/Main/2000572; classtype:policy-violation; sid:2000572; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Placing Item for sale"; flow: to_server,established; content:"/ws2/eBayISAPI.dll"; http_uri; nocase; content:".ebay.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2001907; classtype:policy-violation; sid:2001907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FOX,ABC On-demand UA"; flow:to_server,established; content:"User-Agent|3a| QSP"; nocase; http_header; reference:url,doc.emergingthreats.net/2007639; classtype:policy-violation; sid:2007639; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Calendar in Use"; flow:established,to_server; content:"/calendar/"; http_uri; content:"Host|3a| www.google.com"; http_header; nocase; threshold:type both, count 1, seconds 60, track by_src; reference:url,www.computerworld.com.au/index.php?id=1687889918&eid=-255; reference:url,doc.emergingthreats.net/2003597; classtype:policy-violation; sid:2003597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/HoTMaiL?curmbox="; nocase; http_uri; reference:url,doc.emergingthreats.net/2000035; classtype:policy-violation; sid:2000035; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hi5.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.hi5.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003455; classtype:policy-violation; sid:2003455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Login Attempt"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"login_username"; reference:url,doc.emergingthreats.net/2007627; classtype:policy-violation; sid:2007627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms|3a|xml|3a|ns|3a|xmpp-s"; content:"X-GOOGLE-TOKEN"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002332; classtype:policy-violation; sid:2002332; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic friend invited"; flow:to_server; content:"><invitati"; content:"on xmlns=\"google"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002333; classtype:policy-violation; sid:2002333; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY McAfee Update User Agent (McAfee AutoUpdate)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; nocase; content:"McAfee AutoUpdate"; http_header; pcre:"/User-Agent\x3a[^\n]+McAfee AutoUpdate/i"; reference:url,doc.emergingthreats.net/2003381; classtype:not-suspicious; sid:2003381; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rapidshare auth cookie download"; flow:to_server,established; content:"GET"; http_method; content:"/files/"; http_uri; nocase; content:"rapidshare.com"; nocase; http_header; content:"Cookie|3a| user="; nocase; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006369; classtype:policy-violation; sid:2006369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Newzbin Usenet Reader License Check"; flow:established,to_server; content:"/internal/"; http_uri; content:"prodID=nl&licID="; http_uri; content:"&prodVer="; http_uri; content:"Host|3A| www.newsleecher.com"; http_header; reference:url,doc.emergingthreats.net/2009095; classtype:policy-violation; sid:2009095; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in URI"; flow:established,to_server; content:"username="; nocase; http_uri; content:"password="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009001; classtype:policy-violation; sid:2009001; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in POST Data"; flow:established,to_server; content:"POST"; http_method; content:"username="; http_client_body; nocase; content:"password="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009004; classtype:policy-violation; sid:2009004; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring detected"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; nocase; http_header; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003214; classtype:attempted-recon; sid:2003214; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring Node Active"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; http_header; nocase; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003215; classtype:attempted-recon; sid:2003215; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET http|3a|//"; nocase; depth: 11; reference:url,doc.emergingthreats.net/2001669; classtype:bad-unknown; sid:2001669; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001670; classtype:bad-unknown; sid:2001670; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy POST Request"; flow: to_server,established; content:"POST http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001674; classtype:bad-unknown; sid:2001674; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; content:"/proxyjudge.cgi"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003048; classtype:policy-violation; sid:2003048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"Winamp"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Winamp/Hi"; reference:url,doc.emergingthreats.net/2003168; classtype:policy-violation; sid:2003168; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET"; http_method; content:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; http_uri; content:"ShowCount="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009800; classtype:policy-violation; sid:2009800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication)"; flow:to_server,established; content:"/ap_home.html"; http_uri; reference:url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP; reference:url,doc.emergingthreats.net/bin/view/Main/2008862; classtype:misc-activity; sid:2008862; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MediaFire file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/?"; http_uri; content:"Host|3a|"; nocase; http_header; content:"mediafire.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009303; classtype:policy-violation; sid:2009303; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gigasize file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/get.php"; http_uri; content:"Host|3a| "; nocase; http_header; content:"gigasize.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009304; classtype:policy-violation; sid:2009304; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Ecard Trojan download"; flow:established,to_server; content:".exe"; nocase; http_uri; pcre:"/(gif|car(d|tao)|jpe?g)\.exe$/Ui"; reference:url,doc.emergingthreats.net/2006434; classtype:trojan-activity; sid:2006434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Bid Placed"; flow: to_server,established; content:"/ws/eBayISAPI.dll/"; http_uri; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001898; classtype:policy-violation; sid:2001898; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay View Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001908; classtype:policy-violation; sid:2001908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Watch This Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001909; classtype:policy-violation; sid:2001909; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Search Appliance browsing the Internet"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3A| gsa-crawler"; http_header; nocase; reference:url,www.google.com/enterprise/gsa/index.html; reference:url,doc.emergingthreats.net/2002838; classtype:web-application-activity; sid:2002838; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2000560; classtype:misc-activity; sid:2000560; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2008330; classtype:misc-activity; sid:2008330; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET POLICY JBOSS/JMX port 8080 access from outside"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010378; classtype:web-application-attack; sid:2010378; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Mozilla XPI install files download"; flow: from_server,established; content:"content-type|3a| application/x-xpinstall"; http_header; nocase; reference:url,doc.emergingthreats.net/2001114; classtype:bad-unknown; sid:2001114; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Nagios HTTP Monitoring Connection"; flow:established,to_server; content:"User-Agent|3a| check_http/"; http_header; nocase; content:"(nagios-plugins "; http_header; nocase; reference:url,doc.emergingthreats.net/2006779; classtype:not-suspicious; sid:2006779; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; reference:url,doc.emergingthreats.net/2001675; classtype:bad-unknown; sid:2001675; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Wget User Agent"; flow:established,to_server; content:"User-Agent|3A| "; nocase; http_header; content:"Wget"; nocase; http_header; reference:url,www.gnu.org/software/wget; reference:url,doc.emergingthreats.net/2002822; classtype:attempted-recon; sid:2002822; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"libwww-perl/"; nocase; http_header; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002934; classtype:attempted-recon; sid:2002934; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002828; classtype:not-suspicious; sid:2002828; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002830; classtype:not-suspicious; sid:2002830; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002832; classtype:not-suspicious; sid:2002832; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; classtype:attempted-recon; sid:2002833; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002944; classtype:attempted-recon; sid:2002944; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Briefcase Upload"; flow:to_server,established; content:"briefcase.yahoo.com"; http_header; content:"/process_bcmultipart_form"; http_uri; nocase; reference:url,doc.emergingthreats.net/2001044; classtype:policy-violation; sid:2001044; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo 360 Social Site Access"; flow:established,to_server; content:"Host|3a| 360.yahoo.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003454; classtype:policy-violation; sid:2003454; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 3306 -> $HOME_NET any (msg:"ET POLICY External MYSQL Server Connection"; flow:from_server,established; content:"|00|"; depth:1; offset:3; reference:url,doc.emergingthreats.net/2008572; classtype:trojan-activity; sid:2008572; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; content:!"User-Agent|3a|"; http_header; content:!"download.windowsupdate.com"; http_header; content:!"mms|3a|//"; nocase; pcre:"/\.exe$/Ui"; reference:url,doc.emergingthreats.net/2003179; classtype:policy-violation; sid:2003179; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|10|"; within:6; flowbits:noalert; reference:url,doc.emergingthreats.net/2003007; classtype:unusual-client-port-connection; sid:2003007; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:8; metadata:created_at 2010_07_30, updated_at 2019_06_06;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003012; classtype:unusual-client-port-connection; sid:2003012; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003013; classtype:unusual-client-port-connection; sid:2003013; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|"; distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819; rev:1; metadata:created_at 2010_10_14, updated_at 2010_10_14;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50;  classtype:trojan-activity; sid:2011541; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Java JAR Download Attempt"; flow:established,to_server; content:".jar"; http_uri; reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; classtype:bad-unknown; sid:2011855; rev:2; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .cpl"; flow:established; content:"|20 20 2E 63 70 6C 50 4B|"; reference:url,doc.emergingthreats.net/2001406; classtype:suspicious-filename-detect; sid:2001406; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewer Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008794; classtype:misc-activity; sid:2008794; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase;  pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java JAR file download"; flow:from_server,established; content:"PK"; depth:500; content:"META-INF/"; within:100; content:"MANIFEST"; within:100; classtype:not-suspicious; sid:2011854; rev:3; metadata:created_at 2010_10_25, updated_at 2010_10_25;)

alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Telnet to HP JetDirect Printer With No Password Set"; flow:to_client,established; content:"HP JetDirect"; content:"Password is not set"; offset:40; depth:30; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999#A3; reference:url,doc.emergingthreats.net/2009535; classtype:misc-activity; sid:2009535; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET POLICY External FTP Connection TO Local HP JetDirect Printer"; flow:to_client,established; content:"Hewlett-Packard FTP Print Server Version"; content:"To print a file, use the command|3a| put <filename> [portx]"; offset:40; depth:190; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06165; reference:url,doc.emergingthreats.net/2009536; classtype:misc-activity; sid:2009536; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active"; ip_proto:41; threshold:type both,track by_dst, count 1, seconds 60; reference:url,en.wikipedia.org/wiki/6in4; classtype:policy-violation; sid:2012141; rev:2; metadata:created_at 2011_01_05, updated_at 2011_01_05;)

#alert ip [0.0.0.0/8,192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET POLICY Unallocated IP Space Traffic - Bogon Nets"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002749; classtype:bad-unknown; sid:2002749; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; content:"PUT"; http_method; content:"user-agent|3a|netsession_win_"; http_header; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:2; metadata:created_at 2011_03_16, updated_at 2020_04_19;)

alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Outbound"; flow:established; content:"|16 03 00|"; content:"|00 5c|"; distance:0; content:"|c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012078; rev:5; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2"; flow:established; content:"|16 03 00|"; content:"|00 26|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012079; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3"; flow:established; content:"|16 03 00|"; content:"|00 34|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012080; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"arguments.callee"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=1519; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010883; classtype:misc-activity; sid:2010883; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET !3389 (msg:"ET POLICY Remote Desktop Connection via non RDP Port"; flow:established,to_server; content:"|03|"; depth:1; content:"|e0|"; distance:4; within:1; content:"Cookie|3a|"; distance:5; within:7; reference:url,doc.emergingthreats.net/2007571; classtype:policy-violation; sid:2007571; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL POLICY MS Remote Desktop Request RDP"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101447; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Service User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop POS User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"GPL POLICY Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; http_uri; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:2101859; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A| OmFkbWlu"; http_header; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101860; rev:9; metadata:created_at 2010_09_23, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default username and password login attempt"; flow:to_server,established; content:"Authorization|3A| YWRtaW46YWRtaW4"; http_header; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101861; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP POST on unusual Port Possibly Hostile"; flow:established,to_server; content:"POST"; nocase; http_method; reference:url,doc.emergingthreats.net/2006409; classtype:policy-violation; sid:2006409; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"GPL POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:2101846; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/InboxLight.aspx"; http_uri; depth:21; reference:url,doc.emergingthreats.net/2008238; classtype:policy-violation; sid:2008238; rev:4; metadata:created_at 2010_07_30, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; http_uri; nocase; content:"hotmail.msn.com"; http_header; nocase; content:"/cgi-bin/compose?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2000037; classtype:policy-violation; sid:2000037; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; http_header; content:"/cgi-bin/premail/"; http_uri; reference:url,doc.emergingthreats.net/2000038; classtype:policy-violation; sid:2000038; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; reference:url,doc.emergingthreats.net/2000039; classtype:policy-violation; sid:2000039; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/ReadMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008239; classtype:policy-violation; sid:2008239; rev:4; metadata:created_at 2010_07_30, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; nocase; content:"/mail/EditMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008240; classtype:policy-violation; sid:2008240; rev:4; metadata:created_at 2010_07_30, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Access Full Mode"; flow:to_server,established; content:"GET"; http_method; content:"mail.live.com"; http_header; content:"/mail/ApplicationMain"; http_uri; reference:url,doc.emergingthreats.net/2008242; classtype:policy-violation; sid:2008242; rev:4; metadata:created_at 2010_07_30, updated_at 2020_04_20;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:2101771; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http any any -> any any (msg:"ET POLICY Cleartext WordPress Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; metadata: former_category POLICY; classtype:policy-violation; sid:2012843; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Informational, created_at 2011_05_25, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a password"; flow:established,to_server; content:"password|3a|"; nocase; http_header; classtype:policy-violation; sid:2012868; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a pass field"; flow:established,to_server; content:"pass|3a| "; nocase; http_header; classtype:policy-violation; sid:2012869; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Http Client Body contains password= in cleartext"; flow:established,to_server; content:"password="; nocase; http_client_body; classtype:policy-violation; sid:2012885; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains password Parameter"; flow:established,to_server; content:"password="; nocase; http_uri; pcre:"/(?<=(\?|&))password=(?!&)/Ui"; classtype:policy-violation; sid:2012911; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains passwd Parameter"; flow:established,to_server; content:"passwd="; nocase; http_uri; pcre:"/(?<=(\?|&))passwd=(?!&)/Ui"; classtype:policy-violation; sid:2012912; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pass Parameter"; flow:established,to_server; content:"pass="; nocase; http_uri; pcre:"/(?<=(\?|&))pass=(?!&)/Ui"; classtype:policy-violation; sid:2012913; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pwd Parameter"; flow:established,to_server; content:"pwd="; nocase; http_uri; pcre:"/(?<=(\?|&))pwd=(?!&)/iU"; classtype:policy-violation; sid:2012914; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pw Parameter"; flow:established,to_server; content:"pw="; nocase; http_uri; pcre:"/(?<=(\?|&))pw=(?!&)/Ui"; classtype:policy-violation; sid:2012915; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains passphrase Parameter"; flow:established,to_server; content:"passphrase="; http_uri; nocase; pcre:"/(?<=(\?|&))passphrase=(?!&)/Ui"; classtype:policy-violation; sid:2012916; rev:3; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pword Parameter"; flow:established,to_server; content:"pword="; nocase; http_uri; pcre:"/(?<=(\?|&))pword=(?!&)/Ui"; classtype:policy-violation; sid:2012917; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Smilebox Software/Adware Checkin"; flow:established,to_server; content:"/trackClientAction.jsp?beacon="; http_uri; content:"&os="; http_uri; content:"&partner="; http_uri; reference:url,www.smilebox.com/privacy-policy.html; classtype:policy-violation; sid:2012933; rev:3; metadata:created_at 2011_06_06, updated_at 2020_04_20;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile"; flow:established,to_client; content:"Server|3a| nginx"; nocase; offset:15; depth:15; content:"Content-Type|3a| text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; reference:url,doc.emergingthreats.net/2011765; classtype:bad-unknown; sid:2011765; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY StumbleUpon Submission Detected"; flow:established,to_server; content:"X-SU-Version|3a| "; http_header; threshold: type both, count 2, seconds 300, track by_src; classtype:policy-violation; sid:2013013; rev:3; metadata:created_at 2011_06_10, updated_at 2020_04_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CURL User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"curl"; nocase; within:100; http_header; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002824; classtype:attempted-recon; sid:2002824; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin"; flow:established,to_server; content:"/api/work/getwork?"; http_uri; depth:18; content:"bitcoinplus.com"; http_header; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; classtype:bad-unknown; sid:2013059; rev:3; metadata:created_at 2011_06_17, updated_at 2020_04_20;)

alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"GPL POLICY PCAnywhere server response"; content:"ST"; depth:2; classtype:misc-activity; sid:2100566; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY docs.google.com Activity"; flow:established,to_server; content:"Host|3a| docs.google.com|0d 0a|"; http_header; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003121; classtype:policy-violation; sid:2003121; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; content:"GET"; http_method; content:"/stream?id="; http_uri; content:"googleusercontent.com|0d 0a|"; http_header; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:6; metadata:created_at 2011_06_06, updated_at 2020_04_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Majestic12 User-Agent Request Inbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013255; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Persona Not Validated)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Persona Not Validated"; metadata: former_category POLICY; classtype:policy-violation; sid:2013294; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_07_21, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Snake Oil CA"; metadata: former_category POLICY; classtype:policy-violation; sid:2013295; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_07_21, updated_at 2017_10_12;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (InetURL)"; flow:established,to_server; content:"User-Agent|3a| InetURL"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Informational, created_at 2010_07_30, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewer Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008795; classtype:misc-activity; sid:2008795; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSPlayer User-Agent Windows Media Player streaming detected"; flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|"; http_header; threshold: type limit, track by_src, seconds 300, count 1; reference:url,msdn.microsoft.com/en-us/library/cc234851; classtype:policy-violation; sid:2011874; rev:3; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"/softwareProductLink?"; http_uri; content:"productSetId="; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer|3a| "; http_header; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:2; metadata:created_at 2011_08_23, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (1)"; flow:to_server,established; content:"/uiserver.php?social_plugin=like"; http_uri; content:"external_page_url="; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013458; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (2)"; flow:to_server,established; content:"/plugins/like.php?"; http_uri; content:"href="; http_uri; content:"action=like"; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013459; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP URL"; flow:to_server,established; content:".doc.exe"; http_uri; nocase; metadata: former_category POLICY; classtype:bad-unknown; sid:2013475; rev:2; metadata:created_at 2011_08_26, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP URL"; flow:to_server,established; content:".pdf.exe"; http_uri; nocase; metadata: former_category POLICY; classtype:bad-unknown; sid:2013476; rev:2; metadata:created_at 2011_08_26, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; content:"/WiPlayer?movieid="; http_uri; content:"Host|3a| movies.netflix.com|0d 0a|"; http_header; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:2; metadata:created_at 2011_08_30, updated_at 2020_04_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/JavaScript"; nocase; distance:0; pcre:"/\x3C\x3C[^>]*\x2FJavaScript/smi"; threshold:type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2010882; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY udp port 0 traffic";  reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:2100525; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; content:"Mozilla/5.0 (iPhone"; http_header; content:" OS 4_"; http_header; distance:0; content:!"OS 4_2_1 like"; http_header; pcre:"/OS 4_2_[0-9] like/H"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:4; metadata:created_at 2011_07_29, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; content:"Mozilla/5.0 |28|iPhone"; http_header; content:" OS 4_"; http_header; distance:0; content:!"OS 4_2_1 like"; http_header; pcre:"/OS 4_2_[0-9] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013408; rev:6; metadata:created_at 2011_08_12, updated_at 2020_04_20;)

alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"GPL POLICY PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:2100512; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"CryptSoft Pty Ltd"; within:50; classtype:bad-unknown; sid:2011542; rev:6; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

#alert ssh any any -> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress on Unusual Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001984; classtype:misc-activity; sid:2001984; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ssh any any -> any $SSH_PORTS (msg:"ET POLICY SSH session in progress on Expected Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001978; classtype:misc-activity; sid:2001978; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Centralops.net Probe"; flow:established,to_server; content:"CentralOps.net/)"; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003631; classtype:policy-violation; sid:2003631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; content:"GET"; http_method; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; http_uri; classtype:policy-violation; sid:2013400; rev:7; metadata:created_at 2011_08_10, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; content:".dlinkddns.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013311; rev:3; metadata:created_at 2011_07_25, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel login"; flow:to_server,established; content:"/password.cgi?sptPassword="; http_uri; classtype:not-suspicious; sid:2013919; rev:2; metadata:created_at 2011_11_17, updated_at 2020_04_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel password change"; flow:to_server,established; content:"pwdOld="; http_client_body; content:"pwNew="; http_client_body; content:"pwCfm="; http_client_body; classtype:not-suspicious; sid:2013920; rev:2; metadata:created_at 2011_11_17, updated_at 2020_04_20;)

alert tls any [$HTTP_PORTS,443,8834] -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; content:"|16 03 01|"; content:"|0b|"; within:6; content:"Nessus Certification Authority"; nocase; metadata: former_category POLICY; classtype:bad-unknown; sid:2013298; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_07_21, updated_at 2017_10_12;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:8; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports"; flow:established,to_server; content:"/friendship/email_thank_you.php?"; http_uri; nocase; content:"folder_id="; http_uri; nocase; content:"&params_count="; http_uri; nocase; content:"&nick_name="; http_uri; nocase; content:"&user_email="; http_uri; nocase; content:"&user_uin="; http_uri; nocase; content:"&friend_nickname="; http_uri; nocase; content:"&friend_contact="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008351; classtype:policy-violation; sid:2008351; rev:4; metadata:created_at 2010_07_30, updated_at 2020_04_20;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Bluecoat Proxy in use"; flow:established,to_server; content:"X-BlueCoat-Via|3A|"; http_header; classtype:not-suspicious; sid:2014049; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)

#alert http any any -> $HOME_NET any (msg:"ET POLICY HTTP Redirect to IPv4 Address"; flow:established,from_server; content:"302"; http_stat_code; content:"Found"; nocase; content:"Location|3a| "; nocase; pcre:"/Location\: (http\:\/\/)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//i"; reference:url,doc.emergingthreats.net/2011085; classtype:misc-activity; sid:2011085; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file)"; flow:established,from_server; content:"|0d 0a|Content-Type|3a| application|2f|octet-stream"; content:"|0d 0a 0d 0a 52 61 72 21|"; content:!"|1A 07|"; within:2; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008782; classtype:trojan-activity; sid:2008782; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; content:"bomgar-scc-"; nocase; distance:0; fast_pattern; content:".exe"; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:3; metadata:created_at 2011_11_07, updated_at 2011_11_07;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; classtype:policy-violation; sid:2101438; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4; metadata:created_at 2011_08_15, updated_at 2011_08_15;)

alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_15, updated_at 2011_08_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; content:"Accept|3a 20|?"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2013974; rev:3; metadata:created_at 2011_11_30, updated_at 2020_04_20;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/file/"; http_uri; content:"Host|3a| "; nocase; http_header; content:"badongo.com"; nocase; http_header; within:15; content:"badongoL="; http_cookie; reference:url,doc.emergingthreats.net/2009302; classtype:policy-violation; sid:2009302; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FACEBOOK user id in http_client_body, lookup with fb.com/profile.php?id="; flow:established,to_server; content:".facebook.com|0D 0A|"; http_header; content:"&__user="; http_client_body; threshold: type limit, count 1, seconds 600, track by_src; classtype:not-suspicious; sid:2014102; rev:3; metadata:created_at 2012_01_06, updated_at 2012_01_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer POSTing Data"; flow:established,to_server; content:"POST"; http_method; content:"/service/bootstrap.php"; http_uri; content:".smartiengine.com|0D 0A|"; http_header; classtype:policy-violation; sid:2014124; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Web Crawl - libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"libwww-perl/"; fast_pattern; nocase; within:50; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002935; classtype:attempted-recon; sid:2002935; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"GPL POLICY Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2102124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"GPL POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2102044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Class 1 Primary Intermediate Server CA"; metadata: former_category POLICY; classtype:policy-violation; sid:2013296; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_07_21, updated_at 2017_10_12;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate (StartCom Free Certificate Member)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Free Certificate Member"; metadata: former_category POLICY; classtype:policy-violation; sid:2013297; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_07_21, updated_at 2017_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Being Uploaded to SendSpace File Hosting Site"; flow:established,to_server; content:"POST"; http_method; content:"processupload.html"; http_uri; content:".sendspace.com|0d 0a|"; fast_pattern; http_header; classtype:misc-activity; sid:2014202; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains passwd= in cleartext"; flow:established,to_server; content:"passwd="; nocase; http_client_body; classtype:policy-violation; sid:2012886; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert http $HOME_NET any -> any any (msg:"ET POLICY HTTP POST contains pass= in cleartext"; flow:established,to_server; content:"pass="; nocase; http_client_body; metadata: former_category POLICY; classtype:policy-violation; sid:2012887; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pwd= in cleartext"; flow:established,to_server; content:"pwd="; nocase; http_client_body; classtype:policy-violation; sid:2012888; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains passphrase= in cleartext"; flow:established,to_server; content:"passphrase="; nocase; http_client_body; classtype:policy-violation; sid:2012890; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pword= in cleartext"; flow:established,to_server; content:"pword="; nocase; http_client_body; classtype:policy-violation; sid:2012891; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)

#alert ftp $HOME_NET any -> any any (msg:"ET POLICY FTP Login Successful"; flow:from_server,established; flowbits:isset,ET.ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; depth:4; reference:url,doc.emergingthreats.net/2003410; classtype:misc-activity; sid:2003410; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; metadata: former_category POLICY; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:6; metadata:created_at 2012_01_19, updated_at 2012_01_19;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP geo location service response"; flow:established,from_server; flowbits:isset,ETPRO.IP.geo.loc; content:"city_name="; http_cookie; content:"state="; http_cookie; content:"country_"; http_cookie; content:"latitude="; http_cookie; content:"longitude="; http_cookie; content:"|0d 0a 0d 0a|document.write(|22|"; metadata: former_category POLICY; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014265; rev:4; metadata:created_at 2012_01_19, updated_at 2012_01_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; content:"/getip.php?action=getip&ip_url="; http_uri; metadata: former_category POLICY; classtype:policy-violation; sid:2014292; rev:2; metadata:created_at 2012_02_29, updated_at 2012_02_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Coral Web Proxy/Content Distribution Net Use"; flow:to_server,established; content:"Host|3a|"; http_header; content:".nyud.net|0d 0a|"; fast_pattern; http_header; within:100; reference:url,en.wikipedia.org/wiki/Coral_Content_Distribution_Network; classtype:policy-violation; sid:2014332; rev:1; metadata:created_at 2012_03_07, updated_at 2012_03_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/v"; http_uri; content:"/?v="; http_uri; content:"&c="; http_uri; pcre:"/\/v\d\.\d\.\d/U"; pcre:"/\/\?v=\d/U"; classtype:trojan-activity; sid:2013888; rev:5; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5; metadata:created_at 2011_04_22, updated_at 2011_04_22;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow:established,to_server; content:"/WeatherWindow/WeatherWindow"; nocase; http_uri; content:"?rnd="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; classtype:trojan-activity; sid:2003420; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Command Activity"; flow:established,to_server; content:"/connection/connectionv"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; classtype:trojan-activity; sid:2003422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow: to_server,established; content:"weatherbug.com|0d 0a|"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; classtype:misc-activity; sid:2001267; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (png)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".png"; nocase; http_uri; content:".png HTTP"; nocase; pcre:"/\.png$/Ui"; reference:url,doc.emergingthreats.net/2010070; classtype:trojan-activity; sid:2010070; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpeg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpeg"; nocase; http_uri; content:".jpeg HTTP"; nocase; pcre:"/\.jpeg$/i"; reference:url,doc.emergingthreats.net/2010068; classtype:trojan-activity; sid:2010068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Informational, created_at 2010_07_30, updated_at 2017_10_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0;  metadata: former_category POLICY; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:5; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; metadata: former_category POLICY; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:6; metadata:created_at 2011_05_03, updated_at 2011_05_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; content:"IOS-Self-Signed-Certificate-"; classtype:misc-activity; sid:2014617; rev:2; metadata:created_at 2012_04_19, updated_at 2012_04_19;)

alert http $HOME_NET any -> $HOME_NET any (msg:"ET POLICY Dlink Soho Router Config Page Access Attempt"; flow:established,to_server; content:"/dlink/hwiz.html"; http_uri; reference:url,doc.emergingthreats.net/2008942; classtype:attempted-admin; sid:2008942; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Getting External IP Address - ip2city.asp"; flow:established,to_server; content:"/ip2city.asp"; http_uri; classtype:misc-activity; sid:2014761; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)

alert http any any -> $HOME_NET any (msg:"ET POLICY SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4; metadata:created_at 2012_06_08, updated_at 2012_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; content:"<p>Your current User-Agent string appears to be from an automated process,"; classtype:trojan-activity; sid:2012692; rev:6; metadata:created_at 2011_04_19, updated_at 2011_04_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|";  content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; content:"Server|3A 20|DynDNS-CheckIP/"; http_header; classtype:bad-unknown; sid:2014932; rev:2; metadata:created_at 2012_06_21, updated_at 2012_06_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_18, updated_at 2012_06_18;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_18, updated_at 2012_06_18;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".doc.exe"; nocase; distance:0; fast_pattern; http_header; metadata: former_category POLICY; classtype:bad-unknown; sid:2013477; rev:9; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; fast_pattern; http_header; metadata: former_category POLICY; classtype:bad-unknown; sid:2013478; rev:8; metadata:created_at 2011_08_26, updated_at 2011_08_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LavaGame_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:7; metadata:created_at 2012_01_02, updated_at 2012_01_02;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"/"; http_uri; content:"Host|3A| "; http_header; content:"geoiptool.com|0d 0a|"; within:20; http_header; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:3; metadata:created_at 2012_07_20, updated_at 2012_07_20;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"GPL POLICY AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:nessus,10441; classtype:misc-activity; sid:2101504; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hi"; classtype:policy-violation; sid:2101437; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"Report?"; http_uri; fast_pattern; content:"Id="; http_uri; content:!"User-Agent: "; http_header; content:!"Referer: "; http_header; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:3; metadata:created_at 2011_08_23, updated_at 2011_08_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (Win exe under 128)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server;  content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable;  flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; metadata: former_category POLICY; classtype:trojan-activity; sid:2014471; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Informational, created_at 2012_04_04, updated_at 2017_10_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:7; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_16, updated_at 2011_08_16;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:7; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"|0d 0a|Content-Language|3A| ru"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:8; metadata:created_at 2011_03_21, updated_at 2011_03_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; metadata: former_category POLICY; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_07, updated_at 2012_08_07;)

alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY iTunes User Agent"; flow:established,to_server; content:"iTunes"; nocase; http_user_agent; depth:6; threshold: type limit, count 1, seconds 360, track by_src; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; classtype:policy-violation; sid:2002878; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; content:"Install Stub"; http_user_agent; depth:12; content:"stats.norton.com|0d 0a|"; http_header; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:5; metadata:created_at 2011_11_08, updated_at 2011_11_08;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard"; flow:established,to_server; content:" CFNetwork/"; http_user_agent; content:" Darwin/"; http_user_agent; content:"UDID"; nocase; http_client_body; pcre:"/[0-9a-f]{40}[^0-9a-f]/P"; metadata: former_category POLICY; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013289; rev:6; metadata:created_at 2011_07_19, updated_at 2017_07_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; content:"curl/"; nocase; http_user_agent; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:4; metadata:created_at 2011_06_14, updated_at 2011_06_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; content:"Wise"; http_user_agent; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; content:"|20|yum|2F|"; http_user_agent; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:3; metadata:created_at 2011_09_01, updated_at 2011_09_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; content:"TRACE"; nocase; http_method; reference:url,doc.emergingthreats.net/2010766; classtype:bad-unknown; sid:2010766; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; content:"AOLToolbar"; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2003469; classtype:policy-violation; sid:2003469; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY ApacheBenchmark Tool User-Agent Detected"; flow:to_server,established; content:"ApacheBench"; http_user_agent; depth:15; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,httpd.apache.org/docs/2.0/programs/ab.html/; reference:url,doc.emergingthreats.net/2010725; classtype:attempted-recon; sid:2010725; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"boitho.com"; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; classtype:trojan-activity; sid:2003653; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; content:"Carbonite Installer"; http_user_agent; nocase; depth:19; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"Windows 98"; http_user_agent; content:"GtekClient"; fast_pattern; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"eurobarre "; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent Recuva (Recuva)"; flow:to_server,established; content:"Recuva"; http_user_agent; depth:6; reference:url,doc.emergingthreats.net/2011090; reference:url,www.piriform.com/; classtype:trojan-activity; sid:2011090; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VMware User-Agent Outbound"; flow:established,to_server; content:"vmware"; http_user_agent; depth:6; reference:url,www.vmware.com; classtype:policy-violation; sid:2013749; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; content:"BingBar"; http_user_agent; depth:7; classtype:policy-violation; sid:2013715; rev:4; metadata:created_at 2011_09_30, updated_at 2011_09_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; content:"ZDM/4.0|3B| Windows Mobile 7.0|3B|"; http_user_agent; depth:28; classtype:not-suspicious; sid:2013784; rev:6; metadata:created_at 2011_10_20, updated_at 2011_10_20;)

#alert http $HOME_NET any -> any any (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_user_agent; depth:34; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP|2F|"; http_user_agent; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:5; metadata:created_at 2011_08_31, updated_at 2011_08_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2"; flow:to_server,established; content:"AskTb"; http_user_agent; depth:5; classtype:policy-violation; sid:2015757; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2012_10_04, updated_at 2016_07_01;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; content:"|16 03|"; depth:2; content:"|55 04 0a|"; distance:0; content:"|0d|LogMeIn, Inc."; distance:1; within:14; content:".app"; classtype:policy-violation; sid:2014756; rev:5; metadata:created_at 2010_10_31, updated_at 2010_10_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; content:"heritrix"; http_user_agent; nocase; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:4; metadata:created_at 2012_10_11, updated_at 2012_10_11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"googlebot"; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; classtype:attempted-recon; sid:2002829; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; content:"poclbm/"; nocase; depth:7; http_user_agent; metadata: former_category POLICY; reference:url,abcpool.co/mining-software-comparison.php; classtype:trojan-activity; sid:2016068; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Informational, created_at 2012_12_20, updated_at 2017_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY trymedia.com User-Agent (Macrovision_DM)"; flow:established,to_server; content:"Macrovision_DM"; http_user_agent; content:"trymedia.com|0d 0a|"; http_header; pcre:"/Host\x3a.+trymedia\.com\r$/Hm"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; content:"fetch"; depth:50; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002827; classtype:attempted-recon; sid:2002827; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"Ryeol HTTP Client Class"; http_user_agent; classtype:trojan-activity; sid:2013387; rev:4; metadata:created_at 2011_08_10, updated_at 2011_08_10;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Bitcoin Mining Extensions Header"; flow:to_server,established; content:"POST"; http_method; content:"X-Mining-Extensions|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2016758; rev:4; metadata:created_at 2013_04_16, updated_at 2013_04_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"|3b| Silk/"; http_user_agent; pcre:"/Silk\/\d+\.\d/V"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:4; metadata:created_at 2012_01_04, updated_at 2012_01_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET"; http_method; content:"/myrahost/list.aspx?"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSISDL Iplookup.php IPCheck"; flow:established,to_server; content:"/iplookup.php"; http_uri; fast_pattern; content:"NSISDL/1.2 (Mozilla)"; http_user_agent; classtype:policy-violation; sid:2016744; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; content:" MSIE 2."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016873; rev:5; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; content:" MSIE 3."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016872; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; content:" Firefox/0."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016875; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; content:" Firefox/1."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016876; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; content:" Firefox/2."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016877; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; content:" Windows NT 4."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016878; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; content:" Windows NT 5.0"; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016879; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; content:" MSIE 1."; http_user_agent; nocase; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016874; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"|55 04 03|"; content:"|18|*.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)

#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; metadata: former_category POLICY; classtype:trojan-activity; sid:2017000; rev:3; metadata:created_at 2013_06_10, updated_at 2018_04_24;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:12; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; content:"POST"; http_method; content:"/ProtocolGW/protocol/"; nocase; http_uri;  pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/Ui"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:6; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; content:"Java/1."; http_user_agent; flowbits:set,ET.http.javaclient; flowbits:noalert; classtype:misc-activity; sid:2013035; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; content:"/PirateBrowser"; http_uri; content:".exe"; http_uri; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:2; metadata:created_at 2013_08_14, updated_at 2013_08_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker User-Agent (CNET TechTracker)"; flow:established,to_server; content:"CNET TechTracker"; http_user_agent; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2014574; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Connection From Cisco IOS Device"; flow:established,to_server; content:"cisco-IOS"; http_user_agent; nocase; classtype:misc-activity; sid:2014201; rev:3; metadata:created_at 2012_02_07, updated_at 2012_02_07;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; content:".exe"; http_uri; nocase; content:"GET"; http_method; nocase; pcre:"/\.exe\b/Ui"; reference:url,doc.emergingthreats.net/2003595; classtype:policy-violation; sid:2003595; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Web Crawl using Wget"; flow:established,to_server; content:"Wget"; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; classtype:attempted-recon; sid:2002823; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"SomeOrganizationalUnit"; metadata: former_category POLICY; classtype:policy-violation; sid:2013659; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_09_15, updated_at 2017_10_12;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; metadata: former_category COINMINER; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017872; rev:2; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; metadata: former_category COINMINER; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017873; rev:3; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; metadata: former_category COINMINER; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:trojan-activity; sid:2017878; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; metadata: former_category COINMINER; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:trojan-activity; sid:2017879; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; content:"(compatible|3b| Google Desktop)"; http_user_agent; fast_pattern:13,15; nocase; threshold: type limit, count 1, seconds 360, track by_src; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"AutoIt"; http_user_agent; depth:6; flowbits:set,ET.autoit.ua; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; content:"|00 16|bridges.torproject.org"; nocase; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; content:"X-Stratum|3A|"; http_header; metadata: former_category POLICY; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:policy-violation; sid:2017960; rev:2; metadata:created_at 2014_01_11, updated_at 2014_01_11;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET POLICY PrimeCoinMiner.Protominer"; flow:established,to_server; content:"|01 27 00 00 05 00 00 00 09|"; depth:9; content:"node"; nocase; distance:0; within:4; content:"Protominer"; distance:14; within:10; metadata: former_category COINMINER; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:policy-violation; sid:2018014; rev:1; metadata:created_at 2014_01_27, updated_at 2014_01_27;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:6; metadata:created_at 2011_04_14, updated_at 2011_04_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY InstallIQ Updater Software request"; flow:to_server,established; content:"/api/detectionrequest.aspx?keyid=1&shortname="; http_uri; content:"&langid="; http_uri; content:".installiq.com|0d 0a|"; http_header; classtype:policy-violation; sid:2018222; rev:3; metadata:created_at 2012_02_13, updated_at 2012_02_13;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; http_user_agent; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; content:"|55 04 03|"; byte_test:1,>,11,1,relative; byte_test:1,<,14,1,relative; content:"ssl"; distance:2; within:3; pcre:"/^\d{1,2}/R"; content:".ovh.net"; within:8; metadata: former_category POLICY; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_04_04, updated_at 2016_07_01;)

#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; classtype:policy-violation; sid:2008744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; classtype:policy-violation; sid:2008745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; classtype:policy-violation; sid:2008746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; classtype:policy-violation; sid:2008747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; classtype:policy-violation; sid:2008748; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; content:"GET"; http_method; content:"/iplookup/iplookup.php?format="; http_uri; fast_pattern:10,20; metadata: former_category POLICY; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:policy-violation; sid:2019126; rev:2; metadata:created_at 2014_09_05, updated_at 2014_09_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/auto_update/HideMyIP/update.dat"; http_uri; nocase; classtype:policy-violation; sid:2011311; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; http_header; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; http_header; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cz.cc domain"; flow:to_server,established; content:".cz.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011375; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cx.cc domain"; flow: to_server,established; content:".cx.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012321; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.gv.vg domain"; flow:established,to_server; content:".gv.vg|0d 0a|"; http_header; classtype:bad-unknown; sid:2012542; rev:5; metadata:created_at 2011_03_24, updated_at 2011_03_24;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ce.ms domain"; flow:established,to_server; content:".ce.ms|0d 0a|"; http_header; classtype:bad-unknown; sid:2012593; rev:5; metadata:created_at 2011_03_29, updated_at 2011_03_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cw.cm domain"; flow:established,to_server; content:".cw.cm|0d 0a|"; http_header; classtype:bad-unknown; sid:2012737; rev:4; metadata:created_at 2011_04_28, updated_at 2011_04_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ae.am domain"; flow:to_server,established; content:".ae.am|0d 0a|"; http_header; classtype:bad-unknown; sid:2012896; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.noc.su domain"; flow:to_server,established; content:".noc.su|0d 0a|"; http_header; classtype:bad-unknown; sid:2012897; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.be.ma domain"; flow:to_server,established; content:".be.ma|0d 0a|"; http_header; classtype:bad-unknown; sid:2012898; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.qc.cx domain"; flow:to_server,established; content:".qc.cx|0d 0a|"; http_header; classtype:bad-unknown; sid:2012899; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)"; flow:established,to_server; content:"ianxz6zefk72ulzz.onion|0d 0a|"; http_header; nocase; classtype:policy-violation; sid:2013015; rev:3; metadata:created_at 2011_06_13, updated_at 2011_06_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; content:".co.be|0D 0A|"; http_header; classtype:bad-unknown; sid:2013123; rev:5; metadata:created_at 2011_06_28, updated_at 2011_06_28;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; content:"HEAD"; http_method; classtype:bad-unknown; sid:2013927; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; content:"PROPFIND"; http_method; classtype:bad-unknown; sid:2013928; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; content:"POST"; http_method; content:!".etrade.com|3a|443|0d 0a|"; http_header; classtype:bad-unknown; sid:2013926; rev:8; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; content:"DELETE"; http_method; classtype:bad-unknown; sid:2013931; rev:3; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY 2Downloadz.com File Sharing User-Agent"; flow:established,to_server; content:"2Downloadz.com Agent"; depth:20; http_user_agent; classtype:policy-violation; sid:2019366; rev:3; metadata:created_at 2014_10_08, updated_at 2014_10_08;)

alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_09, updated_at 2014_10_09;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC"; flow:established,from_server; content:"|16 03 00|"; content:"|0b|"; within:7; content:"|13 09|IRC geeks"; distance:0; metadata: former_category POLICY; classtype:misc-activity; sid:2019387; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2014_10_10, updated_at 2017_10_12;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASProtect/ASPack Packed Binary"; flow:from_server,established; flowbits:isnotset,ET.http.binary; content:"|2E 61 73 70 61 63 6B|"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; reference:url,doc.emergingthreats.net/2008575; classtype:trojan-activity; sid:2008575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)

#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:2100208; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptexplorer API Check - Potential CoinMiner Traffic"; flow:established,to_server; content:"/api/"; http_uri; content:"coin/balance/"; http_uri; pcre:"/^\x2Fapi\x2F(bit|lite)coin\x2Fbalance\x2F/U"; metadata: former_category COINMINER; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:policy-violation; sid:2019825; rev:3; metadata:created_at 2014_12_01, updated_at 2014_12_01;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 8444 (msg:"ET POLICY Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:url,bitmessage.org; classtype:policy-violation; sid:2019746; rev:2; metadata:created_at 2014_11_19, updated_at 2014_11_19;)

alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)

alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|30 2b 06 03 55 04 03 13 24|DivX, Inc. Certificate Authority"; distance:0; metadata: former_category POLICY; classtype:policy-violation; sid:2013300; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2011_07_23, updated_at 2017_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check ip-addr.es"; flow:established,to_server; content:"GET"; http_method; content:"ip-addr.es|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?ip-addr\.es(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020105; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check curlmyip.com"; flow:established,to_server; content:"GET"; http_method; content:"curlmyip.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?curlmyip\.com(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020106; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; content:"filename="; http_header; content:".exe"; http_header; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/Hi"; classtype:trojan-activity; sid:2020202; rev:2; metadata:created_at 2015_01_16, updated_at 2015_01_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY I2P Seeds File Download"; flow:established,to_client; file_data; content:"I2Psu3"; within:6; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020416; rev:2; metadata:created_at 2015_02_12, updated_at 2015_02_12;)

#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pandora Usage"; flow:established,to_server; content:"POST"; http_method; content:"/radio/xmlrpc/"; http_uri; content:"pandora.com|0d 0a|"; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 06|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020635; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 08|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020636; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 26|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020677; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 27|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020678; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 28|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020679; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 29|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020680; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2A|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020681; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020682; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020672; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Remote Access - RView - Host - *.rview.com"; flow:established,to_server; content:".rview.com|0D 0A|"; http_header; classtype:policy-violation; sid:2020804; rev:2; metadata:created_at 2015_03_30, updated_at 2015_03_30;)

alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|*.rview.com"; distance:1; within:12; metadata: former_category POLICY; classtype:policy-violation; sid:2020805; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2015_03_30, updated_at 2017_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a 20|www.bravica.net|0d 0a|"; http_header; content:"name="; http_client_body; content:"&cmd="; http_client_body; distance:0; metadata: former_category POLICY; classtype:policy-violation; sid:2020830; rev:3; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; content:"Host|3A 20|ip-whois.net|0d 0a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2020831; rev:3; metadata:created_at 2015_04_02, updated_at 2015_04_02;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; content:!"upload.wikimedia.org"; http_uri; pcre:"/\.jpg$/U"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; content:"Host|3a 20|www.earthtools.org|0d 0a|"; http_header; fast_pattern:6,20; content:"/timezone/"; depth:10; http_uri; content:!"Referer|3a|"; http_header; classtype:policy-violation; sid:2021120; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_22, updated_at 2015_07_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hola VPN Activity - X-Hola-* Headers"; flow:established,to_server; content:"|0d 0a|X-Hola-"; http_header; threshold:type limit,track by_src,seconds 300,count 1; classtype:policy-violation; sid:2021886; rev:2; metadata:created_at 2015_10_01, updated_at 2015_10_01;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; content:"OPTIONS"; http_method; classtype:bad-unknown; sid:2013929; rev:5; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; content:"TRACE"; http_method; classtype:bad-unknown; sid:2013932; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; content:"PUT"; http_method; classtype:bad-unknown; sid:2013930; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; content:"CONNECT"; http_method; classtype:bad-unknown; sid:2013933; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TeamViewer Dyngate User-Agent"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| DynGate)"; http_user_agent; fast_pattern:25,17; depth:43; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010579; classtype:policy-violation; sid:2010579; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010580; classtype:policy-violation; sid:2010580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; metadata: former_category POLICY; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; classtype:policy-violation; sid:2021983; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; content:"miner"; nocase; http_user_agent; pcre:"/miner[^a-z]/Vi"; metadata: former_category COINMINER; reference:url,abcpool.co/mining-software-comparison.php; classtype:trojan-activity; sid:2016067; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Informational, created_at 2012_12_20, updated_at 2017_10_12;)

alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)

#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; metadata: former_category POLICY; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Informational, created_at 2015_12_03, updated_at 2017_10_12;)

#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,is_ssh_server_banner; flowbits: set,is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:2; metadata:created_at 2015_12_31, updated_at 2015_12_31;)

#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,is_ssh_server_banner; flowbits: set,is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:1; metadata:created_at 2015_12_31, updated_at 2015_12_31;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=AfPr0xY|0d 0a|"; http_header; fast_pattern:35,18; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; http_client_body; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022533; rev:2; metadata:created_at 2016_02_17, updated_at 2016_02_17;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC4_128_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 01 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022584; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url, drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; metadata: former_category COINMINER; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017871; rev:7; metadata:created_at 2013_12_16, updated_at 2013_12_16;)

#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; flow:to_server; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Quicktime User-Agent EOL With Known Bugs"; flow:established,to_server; content:"QuickTime"; http_user_agent; content:"os=Windows NT"; http_user_agent; threshold: type limit, count 1, seconds 600, track by_src; reference:url,www.us-cert.gov/ncas/alerts/TA16-105A; classtype:policy-violation; sid:2022738; rev:3; metadata:created_at 2016_04_18, updated_at 2016_04_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=AfPr0xY|0d 0a|"; http_header; fast_pattern:35,18; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; http_client_body; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022342; rev:3; metadata:created_at 2016_01_07, updated_at 2016_01_07;)

alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13; metadata:created_at 2010_07_30, updated_at 2016_05_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SQLi Attempt in User Agent (Outbound)"; flow:established,from_client; content:"User-Agent|3a 20|"; http_header; content:"select"; nocase; distance:0; fast_pattern; http_header; content:"from"; nocase; http_header; within:20; pcre:"/User-Agent\x3a\x20[^\r\n]+select[^\r\n]+from/Hi"; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022815; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:to_server; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; metadata: former_category POLICY; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2016_07_18, performance_impact Low, updated_at 2017_10_12;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_25, updated_at 2016_08_09;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_25, updated_at 2016_08_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; http_user_agent; content:!"X-Trend-ActiveUpdate"; http_header; content:!"HTTrack"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup - b4secure .com"; flow:established,to_server; urilen:12; content:"/index.shtml"; http_uri; content:"Host|3a 20|"; http_header; content:"b4secure.com|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+(?:www\.)?b4secure\.com\r$/Hmi"; metadata: former_category POLICY; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:policy-violation; sid:2023469; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Informational, created_at 2016_10_31, malware_family Emissary, malware_family Lotus_Blossom, updated_at 2017_10_12;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".pif"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".scr"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server|3A 20|dbws|0d 0a|"; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:9; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:14; metadata:created_at 2014_09_25, updated_at 2017_02_03;)

alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:16; metadata:created_at 2010_07_30, updated_at 2017_02_03;)

#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2023873; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, cve url_nctc_gov_site_groups_hamas_html, signature_severity Informational, created_at 2017_02_06, performance_impact Low, updated_at 2018_01_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps)"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|aqsatv.ps"; http_header; metadata: former_category POLICY; reference:url,nctc.gov/site/groups/hamas.html; classtype:policy-violation; sid:2023874; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2017_02_06, performance_impact Low, updated_at 2017_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Lookup Geoip.co.uk"; flow:established,to_server; urilen:1; content:"Host|3a 20|www.geoip.co.uk"; http_header; reference:md5,fa05d4f1558a9581a14936c0ab3723f7; classtype:policy-violation; sid:2022123; rev:2; metadata:created_at 2015_11_20, updated_at 2015_11_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.tv domain"; flow:to_server,established; content:".co.tv|0d 0a|"; http_header; classtype:bad-unknown; sid:2012955; rev:4; metadata:created_at 2011_06_08, updated_at 2011_06_08;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; metadata: former_category POLICY; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:2; metadata:created_at 2010_10_29, updated_at 2010_10_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Hide IP Installation file download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/proxyshell_hide_ip_setup.exe"; http_uri; nocase; reference:url,www.browserdefender.com/file/484661/site/putas18.info/; reference:url,doc.emergingthreats.net/2010792; classtype:policy-violation; sid:2010972; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Anonymous Access Connection"; flow:established,to_server; content:"/services/get_proxies/"; http_uri; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010969; classtype:policy-violation; sid:2010969; rev:4; metadata:created_at 2010_07_30, updated_at 2017_03_08;)

alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; content:"|06 03 55 04 03|"; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.com[01]/Rs"; content:"|06 03 55 04 03|"; distance:0; pcre:"/^.{2}www\.[0-9a-z]{8,20}\.net/Rs"; metadata: former_category POLICY; classtype:misc-activity; sid:2018789; rev:3; metadata:created_at 2014_07_28, updated_at 2017_03_21;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; metadata: former_category POLICY; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; metadata: former_category POLICY; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Crypto Coin Miner Login"; flow:to_server,established; content:"|7b 22|method|22 3a|"; depth:10; fast_pattern; content:"|22|login|22 2c|"; distance:0; within:9; content:"|22|params|22 3a|"; distance:0; within:10; content:"|7b 22|login"; nocase; distance:0; within:8; content:"agent|22 3a|"; nocase; distance:0; metadata: former_category COINMINER; reference:md5,d1082e445f932938366a449631b82946; reference:md5,33d7a82fe13c9737a103bcc4a21f9425; reference:md5,ebe1aeb5dd692b222f8cf964e7785a55; classtype:trojan-activity; sid:2022886; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Bitcoin_Miner, signature_severity Informational, created_at 2016_06_09, malware_family CoinMiner, performance_impact Low, updated_at 2017_10_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Address (monip.outils-rezo. info)"; flow:established,to_server; content:"GET"; http_method; content:"/text"; http_uri; content:"Host|3a 20|"; http_header; content:"monip.outils-rezo.info|0d 0a|"; http_header; distance:0; within:24; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2024526; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2017_08_08, performance_impact Low, updated_at 2017_08_08;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imsi="; nocase; http_uri; metadata: former_category POLICY; classtype:bad-unknown; sid:2012849; rev:4; metadata:created_at 2011_05_25, updated_at 2017_09_18;)

#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)

#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; metadata: former_category POLICY; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_10_02;)

alert dns $HOME_NET any -> any 53 (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)"; dns_query; content:"formyip.com"; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2024830; rev:2; metadata:created_at 2017_10_10, updated_at 2019_09_28;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; metadata: former_category POLICY; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin Server Hello"; flow:established,to_client; dsize:9; stream_size:client,=,1; stream_size:server,=,10; content:"|05 00 00 00 00 ff ff ff ff|"; depth:9; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2025008; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, performance_impact Low, updated_at 2017_11_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0b 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category POLICY; classtype:policy-violation; sid:2025009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_16, performance_impact Low, updated_at 2017_11_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; content:"checkip.dyndns.org"; fast_pattern; http_host; depth:18; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2021378; rev:3; metadata:created_at 2015_07_02, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup sina.com.cn"; flow:established,to_server; content:"GET"; http_method; content:"/iplookup.php"; http_uri; content:"dpool.sina.com.cn"; fast_pattern; http_host; metadata: former_category POLICY; classtype:policy-violation; sid:2021438; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; tls_cert_subject; content:"O=Internet Widgits Pty Ltd"; metadata: former_category POLICY; classtype:not-suspicious; sid:2011540; rev:6; metadata:created_at 2010_09_27, updated_at 2017_11_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; content:"api.wipmania.com"; http_host; metadata: former_category POLICY; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:policy-violation; sid:2014304; rev:4; metadata:created_at 2012_03_05, updated_at 2012_03_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; content:"/app/geoip.js"; http_uri; fast_pattern; content:"maxmind.com"; http_host; classtype:policy-violation; sid:2015878; rev:3; metadata:created_at 2012_11_13, updated_at 2012_11_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:established,to_server; content:"MSDW"; depth:4; http_user_agent; content:"watson.microsoft.com"; http_host; classtype:policy-violation; sid:2018170; rev:5; metadata:created_at 2014_02_24, updated_at 2014_02_24;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:established,to_server; content:".exe"; http_user_agent; nocase; isdataat:!1,relative; fast_pattern; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; content:!"vsee.exe"; nocase; http_user_agent; content:!"CTX_"; http_uri; content:!"gfi.com"; http_host; content:!"pandasoftware.com"; http_host; content:!"lnssatt.exe"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2013224; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Informational, created_at 2011_07_07, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - www.ip.cn"; flow:established,to_server; content:"www.ip.cn"; http_host; depth:9; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2021600; rev:3; metadata:created_at 2015_08_06, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-api.com"; flow:established,to_server; content:"ip-api.com"; http_host; metadata: former_category POLICY; classtype:policy-violation; sid:2022082; rev:3; metadata:created_at 2015_11_13, updated_at 2015_11_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow:established,to_server; content:".co.cc"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2011374; rev:7; metadata:created_at 2010_09_28, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup api.ipify.org"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"api.ipify.org"; http_host; fast_pattern; metadata: former_category POLICY; reference:md5,79809fd3e05a852581b897cc4b06aa32; classtype:policy-violation; sid:2021997; rev:3; metadata:created_at 2015_10_23, updated_at 2015_10_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client User-Agent"; flow:established,to_server; content:"DynDNS-Client"; http_user_agent; classtype:not-suspicious; sid:2014092; rev:3; metadata:created_at 2012_01_03, updated_at 2012_01_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client IP Check"; flow:established,to_server; content:"DynDNS-Client"; http_user_agent; depth:13; content:"checkip.dyndns."; http_host; classtype:not-suspicious; sid:2014091; rev:3; metadata:created_at 2012_01_03, updated_at 2012_01_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cu.cc domain"; flow:established,to_server; content:".cu.cc"; http_host; pcre:"/^(?:\x3a\d{1,5})?$/WR"; classtype:bad-unknown; sid:2013170; rev:5; metadata:created_at 2011_07_02, updated_at 2011_07_02;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; dns_query; content:".xxx"; nocase; isdataat:!1,relative; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:2; metadata:created_at 2011_03_21, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; content:".vv.cc"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2012827; rev:6; metadata:created_at 2011_05_19, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; content:".xxx"; http_host; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:4; metadata:created_at 2011_04_20, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer Checking For Update"; flow:established,to_server; content:"/service/updater.php"; http_uri; content:".smartiengine.com"; http_host; classtype:policy-violation; sid:2014123; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2web)"; dns_query; content:".tor2web"; nocase; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2015576; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2012_08_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (forkinvestpay.com)"; dns_query; content:"forkinvestpay.com"; nocase; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022045; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_11_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.to)"; dns_query; content:".onion.to"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020116; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; content:"libwww-perl/"; depth:12; nocase; http_user_agent; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:4; metadata:created_at 2011_06_14, updated_at 2011_06_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY possible Xiaomi phone data leakage HTTP"; flow:to_server,established; content:"api.account.xiaomi.com"; http_host; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018919; rev:3; metadata:created_at 2014_08_11, updated_at 2014_08_11;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; tls_cert_subject; content:"LogMeIn, Inc."; fast_pattern; content:"join.me"; classtype:policy-violation; sid:2022551; rev:3; metadata:created_at 2016_02_22, updated_at 2016_02_22;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible IP Check api.ipify.org"; flow:established,from_server; tls_cert_subject; content:"CN=api.ipify.org"; classtype:policy-violation; sid:2019512; rev:3; metadata:created_at 2014_10_27, updated_at 2014_10_27;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M2"; flow:established,from_server; tls_cert_serial; content:"0A:E1:E6:BD:51:FB:3D:8F:06:BE:0D:B5:5E:BD:E9:DF"; metadata: former_category POLICY; classtype:policy-violation; sid:2024786; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_09_29;)

alert dns any any -> any any (msg:"ET POLICY possible Xiaomi phone data leakage DNS"; dns_query; content:"api.account.xiaomi.com"; nocase; isdataat:!1,relative; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018918; rev:2; metadata:created_at 2014_08_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 4"; dns_query; content:"bigdata.advmob.cn"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Informational, created_at 2016_11_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; dns_query; content:"client-lb.dropbox.com"; nocase; isdataat:!1,relative; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:2; metadata:created_at 2015_02_24, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; content:" MSIE 4."; http_user_agent; fast_pattern; nocase; content:!".weatherbug.com"; http_host; isdataat:!1,relative; content:!".wxbug.com"; http_host; isdataat:!1,relative; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016871; rev:5; metadata:created_at 2013_05_20, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; http_header_names; content:"pw"; nocase; classtype:policy-violation; sid:2012870; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 3"; dns_query; content:"bigdata.adfuture.cn"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Informational, created_at 2016_11_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 2"; dns_query; content:"bigdata.adsunflower.com"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023516; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Informational, created_at 2016_11_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup)"; dns_query; content:"check.torproject.org"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:policy-violation; sid:2017926; rev:4; metadata:tag IP_address_lookup_website, created_at 2014_01_03, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:established,to_server; content:".tk"; fast_pattern; http_host; isdataat:!1,relative; content:!".tcl.tk"; http_host; content:!"tcl.tk"; http_host; depth:6; isdataat:!1,relative; metadata: former_category POLICY; classtype:bad-unknown; sid:2012810; rev:10; metadata:created_at 2011_05_15, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ipinfo.io"; flow:established,to_server; content:"ipinfo.io"; http_host; depth:9; isdataat:!1,relative; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category POLICY; classtype:policy-violation; sid:2020716; rev:4; metadata:created_at 2015_03_19, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Unencrypted Connection to BASE Console"; flow:to_server,established; content:"/base_main.php"; http_uri; reference:url,base.secureideas.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008570; classtype:misc-activity; sid:2008570; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; content:"swupdate.openvpn.net"; http_host; fast_pattern; depth:20; isdataat:!1,relative; content:"Twisted PageGetter"; http_user_agent; depth:18; isdataat:!1,relative; classtype:policy-violation; sid:2014799; rev:3; metadata:created_at 2012_05_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)"; dns_query; content:"myip.opendns.com"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2023472; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Informational, created_at 2016_11_01, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; dns_query; content:"ipapi.co"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2024527; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Informational, created_at 2017_08_08, performance_impact Low, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)"; flow:established,to_server; tls_sni; content:"l2.io"; fast_pattern; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024833; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2017_10_10, performance_impact Moderate, updated_at 2017_10_10;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M2"; flow:established,from_server; tls_cert_serial; content:"00:E7:F9:B6:DE:A6:57:93:E2:44:6A:3B:95:C6:B3:EC:DF"; metadata: former_category POLICY; classtype:policy-violation; sid:2024788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2017_09_29;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ipecho.net"; flow:established,to_server; content:"ipecho.net"; http_host; depth:10; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2022351; rev:3; metadata:created_at 2016_01_11, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; tls_sni; content:"check.torproject.org"; nocase; classtype:policy-violation; sid:2017928; rev:3; metadata:created_at 2014_01_03, updated_at 2014_01_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)"; dns_query; content:"l2.io"; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2024831; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2017_10_10, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TraceMyIP IP lookup"; flow:established,to_server; content:"tracemyip.org"; http_host; pcre:"/^(?:\x3a\d{1,5})?$/WR"; classtype:policy-violation; sid:2017933; rev:3; metadata:created_at 2014_01_06, updated_at 2014_01_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"SOGOU_UPDATER"; nocase; http_user_agent; depth:13; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)"; dns_query; content:"onion.plus"; isdataat:!1,relative; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025095; rev:2; metadata:created_at 2017_12_01, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup)"; dns_query; content:"onion.casa"; isdataat:!1,relative; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025096; rev:2; metadata:created_at 2017_12_01, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; content:"MJ12bot/"; http_user_agent; classtype:trojan-activity; sid:2013256; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET"; flow:established,to_server; content:" CFNetwork/"; http_user_agent; fast_pattern; content:" Darwin/"; http_user_agent; content:"UDID"; http_uri; pcre:"/[0-9a-f]{40}[^0-9a-f]/U"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013290; rev:4; metadata:created_at 2011_07_19, updated_at 2011_07_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Connection Setup Attempt"; flow:established,to_server; content:"localtunnel.me"; http_host; fast_pattern; isdataat:!1,relative; http_header_names; content:"|0d 0a|host|0d 0a|accept"; depth:14; content:!"User-Agent"; content:!"Host"; content:!"Referer"; content:!"Accept"; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025116; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, signature_severity Minor, created_at 2017_12_04, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY localtunnel Sucessful Connection Setup"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|7b 22|port|22 3a|"; content:"|22|max_conn_count|22 3a|"; distance:0; content:"|22|id|22 3a|"; distance:0; content:"|22|url|22 3a|"; distance:0; content:"localtunnel.me|22 7d|"; distance:0; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025117; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, signature_severity Minor, created_at 2017_12_04, updated_at 2017_12_04;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup)"; dns_query; content:".localtunnel.me"; isdataat:!1,relative; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025138; rev:2; metadata:created_at 2017_12_06, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in TLS SNI)"; flow:established,to_server; tls_sni; content:".localtunnel.me"; isdataat:!1,relative; nocase; metadata: former_category POLICY; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025139; rev:2; metadata:created_at 2017_12_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY possible OnePlus phone data leakage DNS"; dns_query; content:"open.oneplus.net"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025133; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_12_06, malware_family Android_OnePlus, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP Check Response (rl. ammyy. com)"; flow:to_client,established; file_data; content:"Your IP="; depth:8; content:", country = "; distance:0; isdataat:!3,relative; classtype:policy-violation; sid:2025150; rev:1; metadata:created_at 2017_12_13, updated_at 2017_12_13;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; dns_query; content:"curlmyip.net"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:policy-violation; sid:2025154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_12_15, performance_impact Low, updated_at 2019_09_28;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download Non-HTTP"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; app-layer-protocol:!http; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:24; metadata:created_at 2010_07_30, performance_impact Significant, updated_at 2018_01_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:10; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, tag EOL, signature_severity Informational, created_at 2010_09_27, performance_impact Low, updated_at 2018_04_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:"Java/1.4."; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;  threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:12; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, tag EOL, signature_severity Informational, created_at 2010_09_27, performance_impact Low, updated_at 2018_04_19;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; dsize:>768; content:"|16|"; content:"|0b|"; within:8; content:"This program cannot be run in DOS mode"; nocase; metadata: former_category POLICY; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_06, updated_at 2018_02_06;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^.\x04[^\x08\x10\x14\x20\x30\x40]/R"; threshold: type limit, track by_src, seconds 30, count 1; metadata: former_category POLICY; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025319; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_06, updated_at 2018_02_07;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^[\x80-\xff]/R"; threshold: type limit, track by_src, seconds 30, count 1; metadata: former_category POLICY; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025320; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_06, updated_at 2018_02_07;)

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:to_server,established; content:"|16|"; depth:1; content:"|00 00 09|ipinfo.io"; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025331; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_07, performance_impact Low, updated_at 2018_02_12;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. sx)"; dns_query; content:".onion.sx"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_28, performance_impact Moderate, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. pw)"; dns_query; content:".onion.pw"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_30, performance_impact Moderate, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns_query; content:"xmr.pool.minergate.com"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:trojan-activity; sid:2025451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Coinminer, signature_severity Minor, created_at 2018_03_30, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com"; flow:established,to_server; content:"Host|3a 20|myip.dnsomatic.com|0d 0a|"; http_header; nocase; metadata: former_category POLICY; classtype:attempted-recon; sid:2016754; rev:3; metadata:deployment Perimeter, signature_severity Informational, created_at 2013_04_12, performance_impact Low, updated_at 2018_04_16;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"; flow:established,to_client; tls_cert_subject; content:"CN=*.coin-hive.com"; nocase; isdataat:!1,relative; metadata: former_category COINMINER; classtype:trojan-activity; sid:2025536; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_04_26, malware_family CoinMiner, performance_impact Moderate, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; metadata: former_category POLICY; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_12, updated_at 2018_04_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; metadata: former_category COINMINER; classtype:policy-violation; sid:2024721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_18, performance_impact Moderate, updated_at 2018_05_08;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed Malicious SSL Cert (Coinhive URL Shortener)"; flow:established,to_client; tls_cert_subject; content:"CN=cnhv.co"; nocase; isdataat:!1,relative; metadata: former_category COINMINER; reference:url,blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html; classtype:trojan-activity; sid:2025582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_05_22, malware_family CoinMiner, performance_impact Moderate, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For Browser Cryptocurrency Mining Domain"; content:"|06|static|0a|reasedoper|02|pw|00|"; fast_pattern; nocase; metadata: former_category POLICY; reference:url,www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/; classtype:trojan-activity; sid:2024779; rev:5; metadata:affected_product Web_Browsers, created_at 2017_09_27, malware_family CoinMiner, updated_at 2018_05_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTPie User-Agent Outbound"; flow:established,to_server; content:"HTTPie/"; http_user_agent; depth:7; metadata: former_category POLICY; reference:url,httpie.org; classtype:attempted-recon; sid:2025584; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_23, updated_at 2018_05_23;)

alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_02, updated_at 2018_06_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern; isdataat:!1,relative; content:!"__utm.gif"; http_uri; isdataat:!1,relative; content:!".tealiumiq.com"; http_host; content:!"snackly.co"; http_host; content:!"otf.msn.com"; http_host; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:15; metadata:created_at 2010_07_30, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; content:"head"; http_method; nocase; content:!"HEAD"; http_method; metadata: former_category POLICY; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:3; metadata:created_at 2012_03_14, updated_at 2018_06_27;)

alert tcp $HOME_NET 445 -> any any (msg:"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"; flow:established,to_client; content:"SMB"; depth:8; content:"\\PIPE\\atsvc|00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Executable File Transfer"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.smb.binary; metadata: former_category POLICY; classtype:bad-unknown; sid:2025699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|exe|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025700; rev:2; metadata:attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Perimeter, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp\\"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025702; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|bat|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a DLL File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|dll|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|sys|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|s|00|y|00|s|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 Remote AT Scheduled Job Create Request"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00|a|00|t|00|s|00|v|00|c|00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2025713; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, deployment Internal, signature_severity Minor, created_at 2018_07_16, updated_at 2018_07_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 9.0.x Detected"; flow:established,to_server; content:"Java/9."; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/9u-relnotes-3704429.html; classtype:bad-unknown; sid:2025314; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, tag EOL, signature_severity Informational, created_at 2018_02_05, performance_impact Low, updated_at 2018_07_17;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|w|00|"; nocase; distance:0; content:"|00|h|00|i|00|d|00|d|00|e|00|n|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025720; rev:3; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|p|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025722; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025723; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|n|00|i|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025724; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025725; rev:3; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2018_07_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check whatismyip.com Automation Page"; flow:established,to_server; content:"/automation/n09230945.asp"; http_uri; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2008985; classtype:attempted-recon; sid:2008985; rev:5; metadata:created_at 2010_07_30, updated_at 2018_07_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; content:"GET"; http_method; content:"whatismyip."; http_host; metadata: former_category POLICY; classtype:attempted-recon; sid:2008986; rev:7; metadata:created_at 2010_07_30, updated_at 2018_07_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showip in HTTP Host)"; flow:established,to_server; content:"GET"; http_method; content:"showip."; http_host; pcre:"/^Host\x3a[^\r\n]+showip\.[a-z]+(?:\x3a\d{1,5})?\r?$/Hmi"; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2008987; classtype:attempted-recon; sid:2008987; rev:7; metadata:created_at 2010_07_30, updated_at 2018_07_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)"; flow:to_server,established; content:"showmyipaddress.com"; http_host; metadata: former_category POLICY; classtype:policy-violation; sid:2025920; rev:3; metadata:created_at 2012_12_12, updated_at 2018_07_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; content:"GET"; http_method; content:".ipchicken.com"; http_host; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2009020; classtype:attempted-recon; sid:2009020; rev:5; metadata:created_at 2010_07_30, updated_at 2018_07_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (icanhazip. com in HTTP Host)"; flow:established,to_server; content:"icanhazip.com"; http_host; pcre:"/^(?:\x3a\d{1,5})?$/WR"; metadata: former_category POLICY; classtype:attempted-recon; sid:2017398; rev:5; metadata:created_at 2013_08_30, updated_at 2018_07_31;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"; flow:from_server,established; tls_cert_subject; content:"CN=ipinfo.io"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2025330; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_02_07, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (up .jkc8 .com)"; flow:established,to_server; content:"GET"; http_method; content:"/getip.aspx"; http_uri; isdataat:!1,relative; content:"sjd32DSKJF9Ssf"; depth:14; http_user_agent; fast_pattern; content:"up.jkc8.com"; http_host; http_header_names; content:!"Referer"; metadata: former_category POLICY; reference:md5,5a7526db56f812e62302912a1c20edd2; classtype:policy-violation; sid:2026216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Minor, created_at 2018_09_19, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious Malformed Double Accept Header"; flow:established,to_server; content:!"-DRM"; http_user_agent; content:!"buhphone.ru"; http_host; content:!"www.backupmaker.com"; http_host; content:!"ati.com"; http_host; content:!"amd.com"; http_host; isdataat:!1,relative; http_accept; content:"Accept|3a 20|"; fast_pattern; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2008975; classtype:policy-violation; sid:2008975; rev:16; metadata:created_at 2010_07_30, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:"Java/1.6.0_"; http_user_agent; content:!"211"; within:3; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/articles/javase/overview-156328.html; classtype:bad-unknown; sid:2011582; rev:54; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Informational, created_at 2010_09_27, performance_impact Low, updated_at 2018_07_17;)

alert tcp $EXTERNAL_NET $SSH_PORTS -> any any (msg:"ET POLICY Potentially Vulnerable LibSSH Server Observed - Possible Authentication Bypass (CVE-2018-10933)"; flow:from_server,established; content:"SSH-2.0-libssh-0."; depth:17; pcre:"/^[67]\.[01235]/R"; metadata: former_category POLICY; reference:url,www.libssh.org/security/advisories/CVE-2018-10933.txt; reference:url,github.com/blacknbunny/libSSH-Authentication-Bypass; reference:cve,2018-10933; classtype:bad-unknown; sid:2026526; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag CVE_2018_10933, signature_severity Major, created_at 2018_10_19, updated_at 2018_10_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious EXE Download Content-Type image/jpeg"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; flowbits:set,ET.http.binary; metadata: former_category POLICY; classtype:policy-violation; sid:2026537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_23, performance_impact Moderate, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Container"; flow:established,to_server; content:"POST"; http_method; content:"/containers/create"; http_uri; isdataat:!1,relative; content:"Docker-Client"; http_user_agent; depth:13; fast_pattern; content:"|7b 22|Hostname|22 3a 22|"; http_client_body; depth:13; http_header_names; content:!"Referer"; metadata: former_category POLICY; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2026561; rev:2; metadata:attack_target Server, deployment Perimeter, tag Docker, signature_severity Major, created_at 2018_10_29, performance_impact Low, updated_at 2019_09_28;)

#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; metadata: former_category POLICY; classtype:unknown; sid:2013491; rev:3; metadata:created_at 2011_08_30, updated_at 2018_11_27;)

#alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Outbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; metadata: former_category POLICY; classtype:unknown; sid:2013490; rev:3; metadata:created_at 2011_08_30, updated_at 2018_11_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (ifconfig .me)"; flow:established,to_server; content:"GET"; http_method; content:"/ip"; http_uri; depth:3; isdataat:!1,relative; content:"ifconfig.me"; http_host; depth:11; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:md5,52ba2e1f51d16394bf109b42c1166b74; classtype:policy-violation; sid:2026718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Major, created_at 2018_12_10, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Free Hosting Domain (.free .bg)"; dns_query; content:".free.bg"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026742; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2018_12_21, performance_impact Low, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed Suspicious SSL Cert (External IP Lookup - ident .me)"; flow:established,to_client; tls_cert_subject; content:"CN=ident.me"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026743; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2018_12_26, performance_impact Low, updated_at 2019_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Random Hash Pascalcoin Miner Checkin"; flow:established,to_server; content:"{|22|params|22|:[|22|rhminer/"; depth:20; metadata: former_category COINMINER; classtype:trojan-activity; sid:2026750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Coinminer, signature_severity Major, created_at 2019_01_02, updated_at 2019_01_02;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via vtransmit .com"; flow:established,to_server; content:"GET"; http_method; content:"/getip.php"; http_uri; depth:10; isdataat:!1,relative; content:"vtransmit.com"; http_host; depth:13; fast_pattern; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026761; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, tag IP_address_lookup_website, signature_severity Minor, created_at 2019_01_07, performance_impact Low, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. pet))"; flow:established,to_client; tls_cert_subject; content:"CN=*.onion.pet"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026808; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_01_15, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .pet)"; dns_query; content:".onion.pet"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026809; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_01_15, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .ws)"; dns_query; content:".onion.ws"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026810; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_01_15, performance_impact Low, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws))"; flow:established,to_client; tls_cert_subject; content:"CN=*.onion.ws"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026811; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_01_15, performance_impact Low, updated_at 2019_09_28;)

alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|*.dropbox.com"; distance:1; within:14; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:5; metadata:created_at 2011_04_07, updated_at 2019_01_16;)

alert http any any -> $HOME_NET any (msg:"ET POLICY WinRM wsman Access - Possible Lateral Movement"; flow:established,to_server; content:"POST"; http_method; content:"/wsman?"; http_uri; depth:7; fast_pattern; metadata: former_category POLICY; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2019_01_23, performance_impact Low, updated_at 2019_01_23;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Skypool Coin Mining Pool DNS Lookup"; dns_query; content:"skypool.org"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Coinminer, signature_severity Major, created_at 2019_02_01, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Nimiq Miner Initiating Mining Session with Skypool"; flow:established,to_server; content:"GET"; http_method; content:"nimiq.skypool.org"; http_host; fast_pattern; http_header_names; content:"Upgrade"; content:"Sec-WebSocket-Version"; metadata: former_category POLICY; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026868; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Coinminer, signature_severity Major, created_at 2019_02_01, malware_family CoinMiner, performance_impact Low, updated_at 2019_02_01;)

alert smb any any -> $HOME_NET any (msg:"ET POLICY Possible winexe over SMB - Possible Lateral Movement"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|5c 00|a|00|h|00|e|00|x|00|e|00|c|00 00 00|"; distance:0; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category POLICY; reference:url,attack.mitre.org/software/S0191/; classtype:bad-unknown; sid:2026879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_02_05, performance_impact Moderate, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via iplocation.com"; flow:established,to_server; tls_sni; content:"iplocation.com"; isdataat:!1,relative; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2026892; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_02_07, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls_sni; content:"whatismyipaddress.com"; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026896; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Major, created_at 2019_02_11, performance_impact Low, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY IP Logger Redirect Domain in SNI"; flow:to_server,established; tls_sni; content:"maper.info"; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2026897; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Major, created_at 2019_02_11, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious SSN Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; content:"POST"; http_method; content:"&ssn="; nocase; http_client_body; metadata: former_category POLICY; classtype:trojan-activity; sid:2026908; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2019_02_13, updated_at 2019_02_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious CVV Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; content:"POST"; http_method; content:"&cvv="; nocase; http_client_body; metadata: former_category POLICY; classtype:trojan-activity; sid:2026909; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2019_02_13, updated_at 2019_02_13;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|e|00|n|00|c|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2025721; rev:3; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2019_02_18;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Address Lookup DNS Query"; dns_query; content:"2ip.ua"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:md5,81bfa5fe9d0147c8df47a51a1cd4b7c4; classtype:trojan-activity; sid:2027026; rev:1; metadata:tag IP_address_lookup_website, signature_severity Minor, created_at 2019_03_04, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; content:".su"; http_host; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014170; rev:4; metadata:created_at 2012_01_31, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; http_header; nocase; content:!"YW5vbnltb3VzOg=="; http_header; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:12; metadata:created_at 2010_07_30, updated_at 2019_03_18;)

alert http $HOME_NET any -> any any (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:13; metadata:created_at 2010_07_30, updated_at 2019_03_18;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns_query; content:".core.windows.net"; isdataat:!1,relative; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}200[0-9]{2}\./"; metadata: former_category POLICY; classtype:policy-violation; sid:2026486; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; flow:established,to_server; tls_sni; content:".core.windows.net"; isdataat:!1,relative; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}200[0-9]{2}\./"; metadata: former_category POLICY; classtype:policy-violation; sid:2026487; rev:9; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Successful Phish - Password Submitted to *.000webhostapp.com"; flow:established,to_server; content:"POST"; http_method; content:".000webhostapp.com"; isdataat:!1,relative; http_host; fast_pattern; content:"password="; nocase; http_client_body; metadata: former_category POLICY; classtype:trojan-activity; sid:2027146; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_03, updated_at 2019_09_28;)

alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; metadata: former_category POLICY; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, signature_severity Minor, created_at 2019_04_03, performance_impact Low, updated_at 2019_04_03;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-nop"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase; within:17; metadata: former_category POLICY; classtype:bad-unknown; sid:2027170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass"; nocase; within:18; metadata: former_category POLICY; classtype:bad-unknown; sid:2027171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-enc"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-noni"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd.exe"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd "; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"%comspec"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|%|00|c|00|o|00|m|00|s|00|p|00|e|00|c|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027175; rev:2; metadata:attack_target Client_Endpoint, deployment Internal, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027185; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, malware_family CoinMiner, updated_at 2019_04_11;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view"; nocase; within:9; metadata: former_category POLICY; classtype:bad-unknown; sid:2027187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; metadata: former_category POLICY; classtype:bad-unknown; sid:2027188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie|3a 20|mstshash="; distance:5; within:17; metadata: former_category POLICY; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; metadata: former_category POLICY; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_04_11, updated_at 2019_04_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Check myexternalip.com"; flow:established,to_server; content:"GET"; http_method; content:"myexternalip.com"; http_host; depth:16; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2019980; rev:4; metadata:created_at 2014_12_19, updated_at 2019_09_28;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP"; flow:established,from_server; content:"explorer.exe|20|"; nocase; content:"shell|3a 3a 3a 7b|"; distance:0; within:20; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]\x7d/Ri"; metadata: former_category POLICY; classtype:trojan-activity; sid:2027201; rev:2; metadata:created_at 2019_04_15, updated_at 2019_04_15;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)"; dns_query; content:"tiny.cc"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:trojan-activity; sid:2027199; rev:2; metadata:tag URL_Shortener_Service, created_at 2019_04_15, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc)"; flow:from_server,established; tls_cert_subject; content:"CN=tiny.cc"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category POLICY; classtype:trojan-activity; sid:2027200; rev:2; metadata:tag URL_Shortener_Service, created_at 2019_04_15, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025726; rev:3; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2027180; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2019_04_10, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic.exe"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2027181; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2019_04_10, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic "; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2027182; rev:2; metadata:attack_target SMB_Client, deployment Perimeter, signature_severity Major, created_at 2019_04_10, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:trojan-activity; sid:2027202; rev:1; metadata:created_at 2019_04_16, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20 00|"; nocase; distance:0; fast_pattern; metadata: former_category POLICY; classtype:trojan-activity; sid:2025719; rev:3; metadata:attack_target SMB_Client, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_07_17, performance_impact Low, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:2027203; rev:2; metadata:created_at 2019_04_16, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Informational, created_at 2019_04_16, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; metadata: former_category POLICY; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Informational, created_at 2019_04_16, updated_at 2019_04_16;)

alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase; distance:0; metadata: former_category POLICY; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Informational, created_at 2019_04_16, updated_at 2019_04_16;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Microsoft Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"microsoft"; content:".github.io"; distance:0; isdataat:!1,relative; fast_pattern; content:!"microsoft.github.io"; depth:19; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027274; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"binance"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027240; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"ebay"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027242; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"webmail"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027243; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"account"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027244; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"outlook"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027246; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"dhl"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027247; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"docusign"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027248; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"facebook"; content:".github.io"; distance:0; isdataat:!1,relative; fast_pattern; content:!"facebook.github.io"; depth:18; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027275; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"paypal"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; content:!"paypal.github.io"; depth:16; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027241; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, updated_at 2017_02_01;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns_query; content:"pxybomb.icu"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:trojan-activity; sid:2027285; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Monero, signature_severity Minor, created_at 2019_04_25, updated_at 2019_09_28;)

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00 20 00|"; nocase; distance:0; metadata: former_category POLICY; classtype:bad-unknown; sid:2027177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_04_10, updated_at 2019_04_10;)

alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin M2"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; content:!"|22|pass|22 3a 22|"; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2027316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_05_06, performance_impact Low, updated_at 2019_05_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Inbound PowerShell Capable of Enumerating Internal Network via WMI"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|20|Win32_NetworkAdapterConfiguration"; nocase; content:"_.IPEnabled|20|-ne|20|$null"; distance:0; within:200; nocase; content:"_.DefaultIPGateway|20|-ne|20|$null"; distance:0; within:200; nocase; content:"select|20|IPAddress"; distance:0; within:200; nocase; fast_pattern; metadata: former_category POLICY; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, deployment Perimeter, deployment Internal, tag PowerShell, tag T1086, signature_severity Major, created_at 2019_05_08, performance_impact Low, updated_at 2019_05_08;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)"; dns_query; content:"dns-report.com"; nocase; isdataat:!1,relative; pcre:"/^[a-z0-9\-\.]{1,60}\.dns-report\.com$/"; metadata: former_category MALWARE; classtype:bad-unknown; sid:2027363; rev:1; metadata:deployment Perimeter, signature_severity Informational, created_at 2019_05_17, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - iplocation .truevue .org"; flow:established,to_server; content:"iplocation.truevue.org"; fast_pattern; http_host; depth:22; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027372; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Informational, created_at 2019_05_22, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; content:"post"; nocase; http_method; fast_pattern; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:5; metadata:created_at 2012_03_14, updated_at 2019_05_22;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to External IP Lookup Domain ( iplocation .truevue .org)"; dns_query; content:"iplocation.truevue.org"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027373; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Informational, created_at 2019_05_22, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible EXE Download Request to ngrok"; flow:established,to_server; content:".exe"; http_uri; isdataat:!1,relative; content:".ngrok.io"; http_host; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2027391; rev:2; metadata:deployment Perimeter, tag Suspicious_Download, signature_severity Major, created_at 2019_05_28, updated_at 2019_09_28;)

alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_05_30, performance_impact Low, updated_at 2019_05_30;)

alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with TLS Security Protocol Requested"; flow:established,to_server; dsize:<30; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 01 00 00 00|"; distance:0; within:15; fast_pattern; isdataat:!1,relative; metadata: former_category POLICY; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027412; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, deployment Perimeter, signature_severity Major, created_at 2019_05_31, performance_impact Low, updated_at 2019_09_28;)

alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested"; flow:established,to_server; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 00 00 00 00|"; distance:0; within:15; fast_pattern; isdataat:!1,relative; metadata: former_category POLICY; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, deployment Perimeter, signature_severity Major, created_at 2019_05_31, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Request"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"www.shmyip.com"; http_host; fast_pattern; isdataat:!1,relative; metadata: former_category POLICY; reference:md5,0b14eedcc9e847a2d20abf409c8b505f; classtype:trojan-activity; sid:2027430; rev:1; metadata:deployment Perimeter, tag IP_address_lookup_website, signature_severity Minor, created_at 2019_06_04, performance_impact Low, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"office"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; content:!"officedev.github.io"; metadata: former_category POLICY; classtype:policy-violation; sid:2027245; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; content:" MSIE 5."; http_user_agent; fast_pattern; nocase; content:!".microsoft.com"; http_host; isdataat:!1,relative; content:!".trendmicro.com"; http_host; isdataat:!1,relative; content:!".sony.net"; http_host; isdataat:!1,relative; content:!".weather.com"; http_host; isdataat:!1,relative; content:!".yahoo.com"; http_host; isdataat:!1,relative; content:!".dellfix.com"; http_host; isdataat:!1,relative; content:!".oncenter.com"; http_host; isdataat:!1,relative; content:!"GeoVision"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:13; metadata:created_at 2013_05_20, updated_at 2019_09_28;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Socks5 Proxy to Onion (set)"; flow:established,to_server; flowbits:set,ET.Socks5.OnionReq; content:"|05 01 00 03|"; depth:4; content:".onion|00 50|"; distance:0; fast_pattern; metadata: former_category POLICY; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:policy-violation; sid:2027703; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_07_11, performance_impact Moderate, updated_at 2019_07_11;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"cloudflare-dns.com"; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 600; metadata: former_category POLICY; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/json-format; classtype:policy-violation; sid:2027695; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_07_09, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"Python-urllib/"; nocase; http_user_agent; depth:14; content:!"dropbox.com"; http_host; isdataat:!1,relative; content:!"downloads.ironport.com"; isdataat:!1,relative; http_host; content:!".ubuntu.com"; isdataat:!1,relative; http_host; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:7; metadata:created_at 2011_06_14, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Disposable Email Provider Domain in DNS Lookup (www .yopmail .com)"; dns_query; content:"www.yopmail.com"; nocase; depth:15; isdataat:!1,relative; metadata: former_category POLICY; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:policy-violation; sid:2027733; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_07_19, performance_impact Low, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Commercial Proxy Provider geosurf .io)"; flow:established,to_client; tls_cert_subject; content:"C=IL, L=Tel Aviv, O=BI Science (2009) Ltd, OU=WEB, CN=*.geosurf.io"; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2027760; rev:1; metadata:created_at 2019_07_26, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (extreme-ip-lookup .com)"; flow:established,to_server; content:"GET"; http_method; content:"extreme-ip-lookup.com"; http_host; depth:21; metadata: former_category POLICY; classtype:trojan-activity; sid:2027765; rev:2; metadata:tag IP_address_lookup_website, created_at 2019_07_29, updated_at 2019_07_29;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)"; flow:established,to_client; tls_cert_subject; content:"C=DE, O=philandro Software GmbH, CN=AnyNet Relay"; isdataat:!1,relative; fast_pattern; threshold: type limit, track by_dst, count 1, seconds 600; metadata: former_category POLICY; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027761; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_07_26, performance_impact Low, updated_at 2019_09_28;)

alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www .net .cn)"; flow:established,to_server; content:"GET"; http_method; content:"www.net.cn"; http_host; content:"/static/customercare/yourip.asp"; http_uri; depth:31; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:md5,51bdd385ab780d1efd1a62129f066edf; classtype:trojan-activity; sid:2027786; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Minor, created_at 2019_08_01, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup getip.pw"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"getip.pw"; fast_pattern; http_host; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027860; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_08_12, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls_sni; content:"adobe"; fast_pattern; content:".github.io"; distance:0; isdataat:!1,relative; content:!"adobe.github.io"; depth:15; isdataat:!1,relative; content:!"adobe-fonts.github.io"; depth:21; isdataat:!1,relative; content:!"adobe-type-tools.github.io"; depth:26; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027249; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2019_04_23, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipaddress .com)"; flow:established,to_server; content:"GET"; http_method; content:"api.ipaddress.com"; http_host; depth:17; fast_pattern; isdataat:!1,relative; content:"/myip"; http_uri; depth:5; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027905; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Informational, created_at 2019_08_22, performance_impact Low, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Geo IP Lookup (api .db-ip .com)"; flow:established,to_server; content:"GET"; http_method; content:"api.db-ip.com"; http_host; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category POLICY; classtype:policy-violation; sid:2027915; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_08_26, performance_impact Low, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET 853 -> $HOME_NET any (msg:"ET POLICY Quad9 DNS Over TLS Certificate Inbound"; flow:established,to_client; tls_cert_subject; content:"C=US, ST=California, L=Berkeley, O=Quad9, CN=*.quad9.net"; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:md5,1e686b56ccbcb28667698389703bb13a; classtype:policy-violation; sid:2027918; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_08_26, performance_impact Low, updated_at 2019_09_28;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed External IP Lookup Domain (ipconfig .cf in TLS SNI)"; flow:established,to_server; tls_sni; content:"ipconfig.cf"; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2027919; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Informational, created_at 2019_08_26, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (bridges.torproject .org in DNS lookup)"; dns_query; content:"bridges.torproject.org"; depth:22; nocase; metadata: former_category POLICY; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:policy-violation; sid:2017925; rev:5; metadata:tag IP_address_lookup_website, created_at 2014_01_03, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; dns_query; content:".onion"; fast_pattern; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:3; metadata:created_at 2012_06_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; dns_query; content:".exit"; fast_pattern; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:5; metadata:created_at 2012_06_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Query to a *.opengw.net Open VPN Relay Domain"; dns_query; content:".opengw.net"; nocase; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:7; metadata:created_at 2013_03_15, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY tor4u tor2web .onion Proxy DNS  lookup"; dns_query; content:"tor4u.net"; depth:9; nocase; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018875; rev:3; metadata:created_at 2014_08_01, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for try2check.me Carder Tool"; dns_query; content:"try2check.me"; depth:12; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:5; metadata:created_at 2012_02_24, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Invisible Internet Project Domain (I2P)"; dns_query; content:".i2p"; isdataat:!1,relative; fast_pattern; reference:url,geti2p.net; classtype:policy-violation; sid:2019988; rev:4; metadata:created_at 2014_12_22, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p-netdb.innovatio.no)"; dns_query; content:"i2p-netdb.innovatio.no"; depth:22; nocase; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2020189; rev:3; metadata:created_at 2015_01_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p.mooo.com)"; dns_query; content:"i2p.mooo.com"; depth:12; nocase; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2020190; rev:3; metadata:created_at 2015_01_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (netdb.i2p2.no)"; dns_query; content:"netdb.i2p2.no"; depth:13; nocase; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2020191; rev:3; metadata:created_at 2015_01_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (reseed.i2p-projekt.de)"; dns_query; content:"reseed.i2p-projekt.de"; depth:21; nocase; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2020192; rev:3; metadata:created_at 2015_01_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (uk.reseed.i2p2.no)"; dns_query; content:"uk.reseed.i2p2.no"; depth:17; nocase; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2020193; rev:3; metadata:created_at 2015_01_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (us.reseed.i2p2.no)"; dns_query; content:"us.reseed.i2p2.no"; depth:17; nocase; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2020194; rev:3; metadata:created_at 2015_01_15, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Middle Earth Illegal Marketplace Tor Hidden Service DNS Query"; dns_query; content:"mango7u3rivtwxy7"; depth:16; nocase; fast_pattern; classtype:policy-violation; sid:2020417; rev:3; metadata:created_at 2015_02_12, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)"; dns_query; content:".ngrok.com"; fast_pattern; isdataat:!1,relative; nocase; classtype:policy-violation; sid:2022641; rev:3; metadata:created_at 2016_03_23, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.io)"; dns_query; content:".ngrok.io"; fast_pattern; isdataat:!1,relative; nocase; classtype:policy-violation; sid:2022642; rev:3; metadata:created_at 2016_03_23, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.neokred domain - Likely Hostile"; dns_query; content:".neokred.org"; fast_pattern; isdataat:!1,relative; nocase; classtype:policy-violation; sid:2022643; rev:3; metadata:created_at 2016_03_23, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpovider.org)"; dns_query; content:".torpovider.org"; fast_pattern; nocase; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019981; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2014_12_19, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2014_12_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.org)"; dns_query; content:".torgateway.org"; fast_pattern; nocase; isdataat:!1,relative; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019983; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2014_12_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bladetor.com)"; dns_query; content:".bladetor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020107; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bonytor.com)"; dns_query; content:".bonytor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020108; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bortor.com)"; dns_query; content:".bortor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020109; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (browsetor.com)"; dns_query; content:".browsetor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020110; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (door2tor.org)"; dns_query; content:".door2tor.org"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020111; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (enter2tor.com)"; dns_query; content:".enter2tor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020112; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (jamator.com)"; dns_query; content:".jamator.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020113; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion2web.com)"; dns_query; content:".onion2web.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020114; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.lt)"; dns_query; content:".onion.lt"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020115; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay2tor.com)"; dns_query; content:".pay2tor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020117; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay4tor.com)"; dns_query; content:".pay4tor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020118; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (payrobotor.com)"; dns_query; content:".payrobotor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020119; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (poltornik.com)"; dns_query; content:".poltornik.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020120; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (slavetor.com)"; dns_query; content:".slavetor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020121; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tanktor.com)"; dns_query; content:".tanktor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020122; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2pay.com)"; dns_query; content:".tor2pay.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020123; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2www.com)"; dns_query; content:".tor2www.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020124; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (toralpacho.com)"; dns_query; content:".toralpacho.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020127; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torbama.com)"; dns_query; content:".torbama.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020128; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torchek.com)"; dns_query; content:".torchek.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020129; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torexplorer.com)"; dns_query; content:".torexplorer.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020130; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforlove.com)"; dns_query; content:".torforlove.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020131; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torjam.com)"; dns_query; content:".torjam.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020132; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpacho.com)"; dns_query; content:".torpacho.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020134; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; dns_query; content:".torpaycash.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycnf.com)"; dns_query; content:".torpaycnf.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020136; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayeur.com)"; dns_query; content:".torpayeur.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020137; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayusd.com)"; dns_query; content:".torpayusd.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020138; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torprivatebrowsing.org)"; dns_query; content:".torprivatebrowsing.org"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020139; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsanctions.com)"; dns_query; content:".torsanctions.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020140; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsona.com)"; dns_query; content:".torsona.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020141; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torvsusd.com)"; dns_query; content:".torvsusd.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020142; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwild.com)"; dns_query; content:".torwild.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020143; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwinner.com)"; dns_query; content:".torwinner.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020144; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (totortoweb.com)"; dns_query; content:".totortoweb.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020145; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (vtorchike.com)"; dns_query; content:".vtorchike.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020146; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (walterwtor.com)"; dns_query; content:".walterwtor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020147; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforall.com)"; dns_query; content:".torforall.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020183; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_14, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torman2.com)"; dns_query; content:".torman2.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020184; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_14, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwoman.com)"; dns_query; content:".torwoman.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020185; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_14, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torroadsters.com)"; dns_query; content:".torroadsters.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020186; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_14, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.gq)"; dns_query; content:".onion.gq"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020211; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_19, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaysolutions.com)"; dns_query; content:".torpaysolutions.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020374; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayoptions.com)"; dns_query; content:".torpayoptions.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020375; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torinvestment2.com)"; dns_query; content:".torinvestment2.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020376; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwillsmith.com)"; dns_query; content:".torwillsmith.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020377; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstorpay22.com)"; dns_query; content:".optionstorpay22.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020390; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_10, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bananator.com)"; dns_query; content:".bananator.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020391; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_10, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (monsterbbc.com)"; dns_query; content:".monsterbbc.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020395; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_10, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tostotor.com)"; dns_query; content:".tostotor.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020400; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (trusteetor.com)"; dns_query; content:".trusteetor.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020401; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionstopaytor33.com)"; dns_query; content:".solutionstopaytor33.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020402; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.am)"; dns_query; content:".onion.am"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020404; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (batmantor.com)"; dns_query; content:".batmantor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020405; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (dogotor.com)"; dns_query; content:".dogotor.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020406; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_11, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.glass)"; dns_query; content:".onion.glass"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020574; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.direct)"; dns_query; content:".onion.direct"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020577; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_26, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion Proxy Domain (connect2tor.org)"; dns_query; content:"connect2tor.org"; depth:15; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020617; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_04, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torstorm.org)"; dns_query; content:".torstorm.org"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020618; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_04, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bolistatapay.com)"; dns_query; content:".bolistatapay.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020619; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_04, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (sshowmethemoney.com)"; dns_query; content:".sshowmethemoney.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020620; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_04, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)"; dns_query; content:".optionstopaytos.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020639; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (cheetosnotburitos.com)"; dns_query; content:".cheetosnotburitos.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020640; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionsketchupay.com)"; dns_query; content:".optionsketchupay.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020641; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionsaccountor.com)"; dns_query; content:".solutionsaccountor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020642; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4free.org)"; dns_query; content:".tor4free.org"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020686; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_12, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tordomain.org)"; dns_query; content:".tordomain.org"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020703; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_18, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (welcome2tor.org)"; dns_query; content:".welcome2tor.org"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020704; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_03_18, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (clusterpaytor.com)"; dns_query; content:".clusterpaytor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_06_05, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (statepaytor.com)"; dns_query; content:".statepaytor.com"; nocase; isdataat:!1,relative; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021191; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_06_05, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (paypartnerstodo.com)"; dns_query; content:".paypartnerstodo.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022041; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_11_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (allepohelpto.com)"; dns_query; content:".allepohelpto.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022042; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_11_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (marketcryptopartners.com)"; dns_query; content:".marketcryptopartners.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022043; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_11_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (partnersinvestpayto.com)"; dns_query; content:".partnersinvestpayto.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022044; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_11_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (effectwaytopay.com)"; dns_query; content:".effectwaytopay.com"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022046; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_11_06, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)"; dns_query; content:".tormaster.fr"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022645; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2016_03_23, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.li)"; dns_query; content:".torgateway.li"; fast_pattern; isdataat:!1,relative; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022646; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2016_03_23, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query"; dns_query; content:"bigdata.adups.com"; depth:17; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023515; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Informational, created_at 2016_11_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 5"; dns_query; content:"rebootv5.adsunflower.com"; depth:24; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023519; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Informational, created_at 2016_11_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (anonym.to)"; dns_query; content:".anonym.to"; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2023597; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2016_12_09, performance_impact Low, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.guide)"; dns_query; content:".onion.guide"; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024662; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2017_09_05, performance_impact Low, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4pay.com)"; dns_query; content:".tor4pay.com"; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020126; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torminater.com)"; dns_query; content:".torminater.com"; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020133; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_01_07, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.city)"; dns_query; content:".onion.city"; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020430; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2015_02_16, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.link)"; dns_query; content:".onion.link"; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2022332; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2016_01_05, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgate.es)"; dns_query; content:".torgate.es"; fast_pattern; isdataat:!1,relative; nocase; metadata: former_category POLICY; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022644; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Informational, created_at 2016_03_23, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.top)"; dns_query; content:".onion.top"; fast_pattern; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024665; rev:5; metadata:created_at 2017_09_06, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS request for Monero mining pool"; dns_query; content:"pool.minexmr.com"; depth:16; nocase; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2017_09_monero_malware.txt; reference:url,www.welivesecurity.com/2017/09/28/monero-money-mining-malware/; classtype:trojan-activity; sid:2024789; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_29, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.cab)"; dns_query; content:".onion.cab"; fast_pattern; nocase; metadata: former_category POLICY; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018876; rev:5; metadata:created_at 2014_08_01, updated_at 2019_09_03;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns_query; content:".serveo.net"; nocase; isdataat:!1,relative; classtype:policy-violation; sid:2027942; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_09_03, updated_at 2019_09_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns_query; content:".pagekite.net"; nocase; isdataat:!1,relative; classtype:policy-violation; sid:2027943; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_09_03, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; content:"Launcher"; http_user_agent; nocase; content:!"EpicGamesLauncher"; http_user_agent; depth:17; reference:url,doc.emergingthreats.net/2010645; classtype:trojan-activity; sid:2010645; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_04;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Cloudflare DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls_cert_subject; content:"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com"; isdataat:!1,relative; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; metadata: former_category POLICY; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:policy-violation; sid:2027671; rev:3; metadata:created_at 2019_07_03, updated_at 2019_09_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed Suspicious SSL Cert (Minerpool - CoinMining)"; flow:from_server,established; tls_cert_subject; content:"CN=eu.minerpool.pw"; nocase; fast_pattern; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category COINMINER; classtype:policy-violation; sid:2028623; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, tag Coinminer, signature_severity Major, created_at 2019_09_25, performance_impact Low, updated_at 2019_09_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AOL Webmail Message Send"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/compose_frame.adp"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000571; classtype:policy-violation; sid:2000571; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; content:"/aanval/flex/AanvalFlex"; http_uri; nocase; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; classtype:misc-activity; sid:2008561; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Myspace Login Attempt"; flow:established,to_server; content:"secure.myspace.com"; http_header; content:"/index.cfm?fuseaction=login"; http_uri; reference:url,doc.emergingthreats.net/2002872; classtype:policy-violation; sid:2002872; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; content:"POST"; http_method; content:"/nvserver"; http_uri; content:"cmd="; http_client_body; content:"&params="; http_client_body;  content:"Netviewer Proxy Test"; http_client_body; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Unencrypted Connection to Ossec WUI"; flow:established,to_server; content:"/ossec/"; http_uri; content:"js/calendar-setup.js"; http_uri; reference:url,www.ossec.net; reference:url,doc.emergingthreats.net/2008569; classtype:misc-activity; sid:2008569; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.orkut.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003458; classtype:policy-violation; sid:2003458; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; content:"USER-Agent|3a| Domain Dossier utility (http|3a|//CentralOps.net/)"; nocase; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003623; classtype:policy-violation; sid:2003623; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; content:"Referer|3a| http|3a|//dell"; http_header; content:"Host|3a| "; http_header; content:"myway.com"; nocase; http_header; threshold:type limit, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/2008051; classtype:not-suspicious; sid:2008051; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.metacafe.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003457; classtype:policy-violation; sid:2003457; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY RemoteSpy.com Upload Detect"; flow:established,to_server; content:"POST"; http_method; content:"upload.php"; http_uri; content:"Host|3a| www.remotespy.com"; http_header; reference:url,doc.emergingthreats.net/2008406; classtype:trojan-activity; sid:2008406; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Smilebox Spyware Download"; flow:established,to_server; content:"GET"; http_method; content:"/smilebox/SmileboxInstaller.exe"; nocase; http_uri; reference:url,www.smilebox.com/info/privacy.html; reference:url,doc.emergingthreats.net/2009998; classtype:policy-violation; sid:2009998; rev:10; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CBS Streaming Video"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a|"; nocase; http_header; content:"cbs.com"; nocase; http_header; content:"/innertube/player.php?"; http_uri; reference:url,doc.emergingthreats.net/2007763; classtype:policy-violation; sid:2007763; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|video.nbcuni.com"; nocase; http_header; pcre:"/(\.smil)$/Ui"; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY python.urllib User Agent Web Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002943; classtype:attempted-recon; sid:2002943; rev:10; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (cmyip.com in HTTP Host)"; flow:established,to_server; content:"GET"; http_method; content:"cmyip.com"; http_host; fast_pattern; isdataat:!1,relative; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyip in HTTP Host)"; flow:established,to_server; content:"GET"; http_method; content:"showmyip."; http_host; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2008989; classtype:attempted-recon; sid:2008989; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TRR DNS over HTTPS detected"; flow:established,to_server; content:"application/dns-udpwireformat"; http_header; metadata: former_category POLICY; reference:url,tools.ietf.org/html/draft-ietf-doh-dns-over-https-02; classtype:policy-violation; sid:2025980; rev:2; metadata:deployment Perimeter, created_at 2018_08_07, updated_at 2019_09_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Win98"; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+?Win98/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; metadata: former_category POLICY; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_07, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 3.1"; fast_pattern; http_user_agent; content:!"Cisco AnyConnect VPN Agent"; http_user_agent; pcre:"/User-Agent\x3a[^\n]+Windows 3.1/Hi"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:10; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; content:"/prxjdg.cgi"; nocase; http_uri; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; content:"myip.ozymo.com"; fast_pattern; nocase; http_header; classtype:attempted-recon; sid:2013217; rev:3; metadata:created_at 2011_07_06, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; content:"User-Agent|3a 20|REBATEINF"; http_header; fast_pattern; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:3; metadata:created_at 2011_12_19, updated_at 2019_10_07;)

alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_07;)

alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_07;)

alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; content:"/tuner/?StationId="; http_uri; fast_pattern; content:"tunein.com|0d 0a|"; http_header; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:3; metadata:created_at 2012_07_17, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:3; metadata:created_at 2012_09_07, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; content:"BitCoin"; nocase; http_user_agent; fast_pattern; metadata: former_category POLICY; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:trojan-activity; sid:2013457; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, deployment Datacenter, tag Bitcoin_Miner, signature_severity Informational, created_at 2011_08_24, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; content:".net78.net|0d 0a|"; http_header; fast_pattern; nocase; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:3; metadata:created_at 2013_05_29, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; content:"myip.ru"; nocase; http_header; fast_pattern; pcre:"/^Host\x3a\s*?(?:[^\r\n]+?\.)?myip\.ru(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:policy-violation; sid:2018021; rev:5; metadata:created_at 2014_01_27, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; content:"/ping/installping.aspx"; http_uri; fast_pattern; content:"shortname="; http_uri; content:"&os="; http_uri; content:"&parents="; http_uri; content:"&browserNames="; http_uri; content:"&DefaultBrowserName="; http_uri; content:"&langid="; http_uri; content:"&installdate="; http_uri; content:".installiq.com|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:4; metadata:created_at 2014_03_04, updated_at 2019_10_07;)

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_21, updated_at 2019_10_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; content:".tor4u.net"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:2; metadata:created_at 2014_08_01, updated_at 2019_10_07;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; content:".onion.cab"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:2; metadata:created_at 2014_08_01, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup maxmind.com"; flow:established,to_server; content:"GET"; http_method; content:"/locate_my_ip"; http_uri; fast_pattern; content:"maxmind.com"; http_header; metadata: former_category POLICY; reference:md5,0559c56d6dcf6ffe9ca18f43e225e3ce; classtype:policy-violation; sid:2019140; rev:3; metadata:created_at 2014_09_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check wtfismyip.com"; flow:to_server,established; content:"GET"; http_method; content:"wtfismyip.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/(?:text|json|xml)?$/U"; classtype:policy-violation; sid:2019737; rev:3; metadata:created_at 2014_11_18, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to WebDAV CloudMe Service"; flow:established,to_server; content:"webdav.cloudme.com"; http_header; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/Hmi"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:policy-violation; sid:2019914; rev:3; metadata:created_at 2014_12_10, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exploitpack.com tool checkin"; flow:established,to_server; content:"GET"; http_method; content:"/changelog/"; http_uri; fast_pattern; pcre:"/^\/changelog\/(?:appversion|changelog|help)$/U"; content:"User-Agent|3a 20|Java/1"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,www.exploitpack.com; classtype:bad-unknown; sid:2020195; rev:3; metadata:created_at 2015_01_15, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SUSPICIOUS *.rar.exe in HTTP URL"; flow:to_server,established; content:".rar.exe"; fast_pattern; http_uri; nocase; pcre:"/\.rar\.exe$/Ui"; metadata: former_category POLICY; classtype:bad-unknown; sid:2020386; rev:3; metadata:created_at 2015_02_09, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Seeds File Request"; flow:established,to_server; content:"/i2pseeds.su3"; http_uri; fast_pattern; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020415; rev:3; metadata:created_at 2015_02_12, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Update check"; flow:established,to_server; content:"X-TA-ClientVer|3a 20|"; http_header; fast_pattern; content:"X-TA-ClientOS|3a 20|"; http_header; content:"/update.inf"; http_uri; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020580; rev:3; metadata:created_at 2015_02_27, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ip2location\.com\r?/Hmi"; content:"ip2location.com|0d 0a|"; http_header; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2021162; rev:4; metadata:created_at 2015_05_28, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ip.webmasterhome.cn"; flow:established,to_server; content:"Host|3a 20|ip.webmasterhome.cn|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2021250; rev:3; metadata:created_at 2015_06_11, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup www.whatsmyip.us"; flow:established,to_server; content:"Host|3a 20|www.whatsmyip.us|0d 0a|"; http_header; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2021371; rev:3; metadata:created_at 2015_06_30, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; content:"GET"; http_method; content:"/ip?json"; http_uri; fast_pattern; content:"trackip.net"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2021550; rev:3; metadata:created_at 2015_07_29, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip2nation.com"; flow:established,to_server; content:"Host|3a 20|www.ip2nation.com|0d 0a|"; http_header; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2022222; rev:3; metadata:created_at 2015_12_07, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IOS Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; content:".ipa"; nocase; http_uri; content:"appvv.com"; http_header; nocase; fast_pattern; pcre:"/Host\x3a\x20(?:[^\r\n]*?\.)?appvv.com(?:\x3a\d{1,5})?\r\n/Hi"; classtype:policy-violation; sid:2022296; rev:3; metadata:created_at 2015_12_22, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; content:".apk"; nocase; http_uri; content:"appvv.com"; http_header; nocase; fast_pattern; pcre:"/Host\x3a\x20(?:[^\r\n]*?\.)?appvv.com(?:\x3a\d{1,5})?\r\n/Hi"; classtype:policy-violation; sid:2022297; rev:3; metadata:created_at 2015_12_22, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip.tyk.nu"; flow:established,to_server; urilen:1; content:"Host|3a 20|ip.tyk.nu|0d 0a|"; http_header; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2022368; rev:3; metadata:created_at 2016_01_14, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - meuip.net.br"; flow:established,to_server; content:"Host|3a 20|meuip.net.br|0d 0a|"; http_header; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2022405; rev:3; metadata:created_at 2016_01_25, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via dawhois.com"; flow:established,to_server; content:"Host|3a 20|www.dawhois.com|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022687; rev:3; metadata:created_at 2016_03_30, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-score.com"; flow:established,to_server; content:"Host|3a 20|ip-score.com|0d 0a|"; fast_pattern; http_header; content:!"Referer|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2022892; rev:3; metadata:created_at 2016_06_13, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTA Application Download"; flow:established,to_server; content:"GET"; http_method; content:".hta"; http_uri; nocase; fast_pattern; pcre:"/\.hta$/Ui"; flowbits:set,ET.HTA.Download; content:!"kaspersky.com|0d 0a|"; http_header; reference:url,www.trustedsec.com/july-2015/malicious-htas/; classtype:bad-unknown; sid:2022520; rev:5; metadata:created_at 2016_02_15, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Adups Firmware Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"{|22|dc_date|22 3a|"; depth:11; http_client_body; content:",|22|dc_type|22 3a|"; fast_pattern; http_client_body; content:",|22|keyword|22 3a|"; http_client_body; content:",|22|md5|22 3a|"; http_client_body; content:",|22|msg_date|22 3a|"; http_client_body; content:",|22|msg_type|22 3a|"; http_client_body; content:",|22|tell|22 3a|"; http_client_body; metadata: former_category POLICY; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023514; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Informational, created_at 2016_11_16, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (tinytools.nu)"; flow:established,to_server; content:"Host|3a 20|www.tinytools.nu|0d 0a|"; http_header; fast_pattern; content:"/MyIPAddress/"; nocase; http_uri; metadata: former_category POLICY; classtype:policy-violation; sid:2023520; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2016_11_17, performance_impact Low, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; content:"check.torproject.org"; nocase; http_header; fast_pattern; pcre:"/^Host\x3a\s*?check\.torproject\.org(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:policy-violation; sid:2017927; rev:4; metadata:created_at 2014_01_03, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; content:"GET"; http_method; content:"/dl/"; http_uri; content:"hotfile.com|0d 0a|"; fast_pattern; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2015015; rev:3; metadata:created_at 2012_07_03, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category POLICY; classtype:policy-violation; sid:2021195; rev:4; metadata:tag IP_address_lookup_website, created_at 2015_06_08, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_07;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; content:"formyip.com"; fast_pattern; nocase; metadata: former_category POLICY; classtype:policy-violation; sid:2024832; rev:3; metadata:created_at 2017_10_10, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"Konfabulator"; http_header; content:!"masterconn.qq.com"; http_header; content:!"QQPCMgr"; http_header; metadata: former_category POLICY; classtype:trojan-activity; sid:2011800; rev:11; metadata:created_at 2010_10_12, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; content:"POST"; http_method; urilen:13; content:"/updateserver"; http_uri; fast_pattern; content:"MSFX/"; depth:5; http_user_agent; http_header_names; content:!"Referer"; classtype:misc-activity; sid:2020475; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_02_18, updated_at 2019_10_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; content:"Host|3a 20|myip.kz|0d 0a|"; http_header; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2021533; rev:3; metadata:created_at 2015_07_27, updated_at 2019_10_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; content:"Peach"; nocase; http_user_agent; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:3; metadata:created_at 2011_06_17, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; content:"GET"; http_method; content:"AskInstall"; http_user_agent; depth:10; nocase; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; content:"Installer Ping"; http_user_agent; depth:14; classtype:trojan-activity; sid:2013190; rev:4; metadata:created_at 2011_07_05, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"asafaweb.com"; http_user_agent; depth:12; isdataat:!1,relative; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:4; metadata:created_at 2012_02_16, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; content:"Babylon"; http_user_agent; depth:7; fast_pattern; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:8; metadata:created_at 2011_04_28, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; content:"XXX"; http_user_agent; depth:3; isdataat:!1,relative; metadata: former_category HUNTING; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Informational, created_at 2010_07_30, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"AHTTPConnection"; nocase; http_user_agent; depth:15; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:6; metadata:created_at 2011_09_28, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; content:"Peach"; nocase; http_user_agent; depth:5; content:!"Tree"; http_header; within:4; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:5; metadata:created_at 2011_06_17, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; content:"WmpHostInternetConnection"; http_user_agent; depth:25; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; content:"User-Agent|3a 20|curl"; http_header; nocase; threshold: type both, track by_src, count 10, seconds 60; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:10; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; content:"/install/banner/"; http_uri; nocase; pcre:"/\d/\d+.jpg/Ui"; content:"Host|3a 20|www.winpcap.org"; nocase; http_header; content:"NSISDL"; nocase; http_user_agent; depth:6; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; content:"|0d 0a|Host|3a 20|idisk.mac.com|0d 0a|"; http_header; nocase; content:"DotMacKit-like, File-Sync-Direct"; http_user_agent; depth:32; nocase; classtype:policy-violation; sid:2012331; rev:5; metadata:created_at 2011_02_21, updated_at 2019_10_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; content:"MxAgent"; nocase; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_11;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns_query; content:".ddns.net"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_11, performance_impact Low, updated_at 2019_10_11;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns_query; content:".ddnsking.com"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_11, performance_impact Low, updated_at 2019_10_11;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns_query; content:".3utilities.com"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_11, performance_impact Low, updated_at 2019_10_11;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.bounceme .net"; dns_query; content:".bounceme.net"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028678; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net"; dns_query; content:".freedynamicdns.net"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028679; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org"; dns_query; content:".freedynamicdns.org"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028680; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hopto .org"; dns_query; content:".hopto.org"; nocase; isdataat:!1,relative; metadata: former_category POLICY; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028681; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myftp .org"; dns_query; content:".myftp.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028684; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myvnc .com"; dns_query; content:".myvnc.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028685; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.onthewifi .com"; dns_query; content:".onthewifi.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028686; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.redirectme .net"; dns_query; content:".redirectme.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028687; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servebeer .com"; dns_query; content:".servebeer.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028688; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveblog .net"; dns_query; content:".serveblog.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028689; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com"; dns_query; content:".servecounterstrike.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028690; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveftp .com"; dns_query; content:".serveftp.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028691; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servegame .com"; dns_query; content:".servegame.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028692; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehalflife .com"; dns_query; content:".servehalflife.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028693; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehttp .com"; dns_query; content:".servehttp.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028694; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveirc .com"; dns_query; content:".serveirc.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028695; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net"; dns_query; content:".serveminecraft.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028696; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servemp3 .com"; dns_query; content:".servemp3.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028697; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servepics .com"; dns_query; content:".servepics.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028698; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servequake .com"; dns_query; content:".servequake.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028699; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.viewdns .net"; dns_query; content:".viewdns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028701; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.webhop .me"; dns_query; content:".webhop.me"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028702; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.zapto .org"; dns_query; content:".zapto.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028703; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.access .ly"; dns_query; content:".access.ly"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028704; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.blogsyte .com"; dns_query; content:".blogsyte.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028705; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.brasilia .me"; dns_query; content:".brasilia.me"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028706; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.cable-modem .org"; dns_query; content:".cable-modem.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028707; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ciscofreak .com"; dns_query; content:".ciscofreak.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028708; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.collegefan .org"; dns_query; content:".collegefan.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028709; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.couchpotatofries .org"; dns_query; content:".couchpotatofries.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028710; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.damnserver .com"; dns_query; content:".damnserver.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028711; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .me"; dns_query; content:".ddns.me"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028712; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ditchyourip .com"; dns_query; content:".ditchyourip.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028713; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dnsfor .me"; dns_query; content:".dnsfor.me"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028714; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dnsiskinky .com"; dns_query; content:".dnsiskinky.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028715; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dvrcam .info"; dns_query; content:".dvrcam.info"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028716; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dynns .com"; dns_query; content:".dynns.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028717; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.eating-organic .net"; dns_query; content:".eating-organic.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028718; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.fantasyleague .cc"; dns_query; content:".fantasyleague.cc"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028719; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.geekgalaxy .com"; dns_query; content:".geekgalaxy.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028720; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.golffan .us"; dns_query; content:".golffan.us"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.health-carereform .com"; dns_query; content:".health-carereform.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028722; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.homesecuritymac .com"; dns_query; content:".homesecuritymac.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028723; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.homesecuritypc .com"; dns_query; content:".homesecuritypc.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028724; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hosthampster .com"; dns_query; content:".hosthampster.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028725; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hopto .me"; dns_query; content:".hopto.me"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028726; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ilovecollege .info"; dns_query; content:".ilovecollege.info"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028727; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.loginto .me"; dns_query; content:".loginto.me"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028728; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mlbfan .org"; dns_query; content:".mlbfan.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028729; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mmafan .biz"; dns_query; content:".mmafan.biz"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028730; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myactivedirectory .com"; dns_query; content:".myactivedirectory.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028731; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mydissent .net"; dns_query; content:".mydissent.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028732; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myeffect .net"; dns_query; content:".myeffect.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028733; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mymediapc .net"; dns_query; content:".mymediapc.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028734; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mypsx .net"; dns_query; content:".mypsx.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028735; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .com"; dns_query; content:".mysecuritycamera.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028736; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .net"; dns_query; content:".mysecuritycamera.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028737; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .org"; dns_query; content:".mysecuritycamera.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028738; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.net-freaks .com"; dns_query; content:".net-freaks.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028739; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.nflfan .org"; dns_query; content:".nflfan.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028740; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.nhlfan .net"; dns_query; content:".nhlfan.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028741; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.pgafan .net"; dns_query; content:".pgafan.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028742; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.point2this .com"; dns_query; content:".point2this.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028743; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.pointto .us"; dns_query; content:".pointto.us"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028744; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.privatizehealthinsurance .net"; dns_query; content:".privatizehealthinsurance.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028745; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.quicksytes .com"; dns_query; content:".quicksytes.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028746; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.read-books .org"; dns_query; content:".read-books.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028747; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.securitytactics .com"; dns_query; content:".securitytactics.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028748; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveexchange .com"; dns_query; content:".serveexchange.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028749; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehumour .com"; dns_query; content:".servehumour.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028750; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servep2p .com"; dns_query; content:".servep2p.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028751; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servesarcasm .com"; dns_query; content:".servesarcasm.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028752; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.stufftoread .com"; dns_query; content:".stufftoread.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028753; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ufcfan .org"; dns_query; content:".ufcfan.org"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028754; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.unusualperson .com"; dns_query; content:".unusualperson.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028755; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.workisboring .com"; dns_query; content:".workisboring.com"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028756; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_14, performance_impact Low, updated_at 2019_10_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTMLGET User Agent Detected - Often Linux utility based"; flow:established,to_server; content:"HTMLGET "; http_user_agent; nocase; depth:8; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013018; rev:6; metadata:created_at 2011_06_13, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; content:"Ubuntu APT-HTTP|2F|"; http_user_agent; depth:16; content:"|0d 0a|Host|3a 20|"; http_header; content:"repository.backtrack-linux.org"; http_header; within:40; reference:url,www.backtrack-linux.org; classtype:policy-violation; sid:2013914; rev:5; metadata:created_at 2011_11_16, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; content:"GridinSoft"; http_user_agent; depth:10; classtype:trojan-activity; sid:2013719; rev:4; metadata:created_at 2011_09_30, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; content:"UpdateSoft"; http_user_agent; depth:10; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:4; metadata:created_at 2012_03_08, updated_at 2019_10_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; content:"SnadBoy"; http_user_agent; depth:7; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:5; metadata:created_at 2012_03_08, updated_at 2019_10_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; content:"toys|3A 3A|file"; http_user_agent; depth:10; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:4; metadata:created_at 2012_03_08, updated_at 2019_10_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; content:"Software Update|2F|"; http_user_agent; depth:16; content:" Darwin|2F|"; http_user_agent; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:4; metadata:created_at 2011_08_31, updated_at 2020_04_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY eBook Generator User-Agent (EBook)"; flow:established,to_server; content:"EBook"; http_user_agent; depth:5; isdataat:!1,relative; reference:url,malwr.com/analysis/a04b28e21adc70837eb7de811556ff4e/; reference:url,www.ebookgenerator.com/; classtype:policy-violation; sid:2014576; rev:3; metadata:created_at 2012_04_16, updated_at 2019_10_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; fast_pattern; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0.1|3b 20|"; http_user_agent; depth:37; content:"WININET 5.0)"; http_user_agent; isdataat:!1,relative; content:"www.dnswatch.info"; http_host; classtype:trojan-activity; sid:2014359; rev:8; metadata:created_at 2012_03_09, updated_at 2019_10_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Retrieving reseed info"; flow:established,to_server; content:"GET"; http_method; content:"/netdb/"; nocase; depth:7; http_uri; fast_pattern; content:"Wget/1.11.4"; http_user_agent; depth:11; isdataat:!1,relative; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; classtype:policy-violation; sid:2019898; rev:4; metadata:created_at 2014_12_09, updated_at 2019_10_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Activation"; flow:established,to_server; content:"ActivationRequestSendingSession"; http_user_agent; fast_pattern; depth:31; isdataat:!1,relative; content:"activation_api.php?"; http_uri; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020578; rev:3; metadata:created_at 2015_02_27, updated_at 2019_10_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Checkin"; flow:established,to_server; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|en-US|29|"; http_user_agent; fast_pattern; depth:57; isdataat:!1,relative; content:"/safecontent.php?"; http_uri; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020579; rev:3; metadata:created_at 2015_02_27, updated_at 2019_10_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 10.0.x Detected"; flow:established,to_server; content:"Java/10.0."; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html; classtype:bad-unknown; sid:2025518; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Informational, created_at 2018_04_19, performance_impact Low, updated_at 2019_10_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 12.0.x Detected"; flow:established,to_server; content:"Java/12.0."; http_user_agent; content:!"2"; within:1; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html; classtype:bad-unknown; sid:2028868; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_18, updated_at 2019_10_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_user_agent; pcre:"/^\d\d?\.\d/VRi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:13; metadata:created_at 2010_07_30, updated_at 2019_10_21;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Xpopup Instant Messenger Downloading Configuration"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"/xpopinfo.dat"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/4.1 (compatible|3b 20|"; http_user_agent; depth:25; reference:md5,6c7abe2297ee64362e33584f9f654ebd; classtype:policy-violation; sid:2021205; rev:5; metadata:created_at 2015_06_08, updated_at 2019_10_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TOR Consensus Data Requested"; flow:established,to_server; content:"GET"; http_method; content:"/tor/status-vote/current/consensus"; http_uri; depth:34; metadata: former_category POLICY; classtype:policy-violation; sid:2028914; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_28, performance_impact Low, updated_at 2019_10_28;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DoH Service)"; flow:from_server,established; tls_cert_subject; content:"CN=www.rubyfish.cn"; nocase; fast_pattern; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category POLICY; classtype:policy-violation; sid:2029051; rev:1; metadata:deployment Perimeter, tag DNS_over_HTTPS, signature_severity Minor, created_at 2019_11_21, performance_impact Low, updated_at 2019_11_21;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - free .ipwhois .io "; flow:established,to_server; content:"GET"; http_method; content:"free.ipwhois.io"; http_host; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2029185; rev:2; metadata:tag IP_address_lookup_website, created_at 2019_12_20, updated_at 2019_12_20;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious ToTok Mobile Application DNS Request"; dns_query; content:"capi.im.totok.ai"; nocase; isdataat:!1,relative; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_12_26, updated_at 2019_12_26;)

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious ToTok Mobile Application TLS Request"; tls_sni; content:"capi.im.totok.ai"; nocase; isdataat:!1,relative; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2019_12_26, updated_at 2019_12_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (whois .pconline .com .cn)"; flow:established,to_server; content:"GET"; http_method; content:"whois.pconline.com.cn"; http_host; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2029243; rev:2; metadata:created_at 2020_01_09, performance_impact Low, updated_at 2020_01_09;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY GG Url Shortener Observed in DNS Query"; dns_query; content:"gg.gg"; nocase; depth:5; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2029258; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2020_01_13, performance_impact Low, updated_at 2020_01_13;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Website Hosting Service Observed in DNS Query"; dns_query; content:"dynapps.be"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2029308; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_01_22, updated_at 2020_01_22;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to IP Logging Service (2no .co)"; flow:established,to_server; content:"2no.co"; depth:6; http_host; metadata: former_category POLICY; classtype:policy-violation; sid:2029299; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_01_22, updated_at 2020_01_22;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Telegram API Cerficate Observed"; flow:established,to_client; tls_cert_subject; content:"CN=api.telegram.org"; fast_pattern; nocase; isdataat:!1,relative; metadata: former_category HUNTING; classtype:misc-activity; sid:2029322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_01_27, updated_at 2020_01_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GeoIP Lookup (nydus.battle.net)"; flow:established,to_server; content:"GET"; http_method; content:"/geoip"; http_uri; depth:6; isdataat:!1,relative; content:"nydus.battle.net"; http_host; depth:16; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; reference:md5,446bed079ec0179e82eab6710d55155f; classtype:policy-violation; sid:2029324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_01_28, performance_impact Low, updated_at 2020_01_28;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns_query; content:".portmap."; nocase; pcre:"/^(?:com|io|host)/Ri"; classtype:policy-violation; sid:2027941; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2019_09_03, updated_at 2020_01_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; http_client_body; depth:49; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:4; metadata:created_at 2011_08_30, updated_at 2020_02_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; content:"POST"; http_method; content:"action=get&applicationID="; nocase; http_client_body; depth:25; fast_pattern; content:"&developerId="; nocase; distance:0; http_client_body; content:"&deviceId="; nocase; distance:0; http_client_body; content:"android.permission"; nocase; distance:0; http_client_body; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:5; metadata:created_at 2011_06_16, updated_at 2020_02_06;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY ABBCCoin Checkin"; flow:to_server,established; content:"_version"; within:14; content:"ABBCCoin"; within:150; fast_pattern; metadata: former_category POLICY; reference:md5,77ec579347955cfa32f219386337f5bb; classtype:misc-activity; sid:2029422; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2020_02_12, updated_at 2020_02_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:"Java/1.7.0_"; http_user_agent; content:!"251"; within:3; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html; classtype:bad-unknown; sid:2014297; rev:56; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Informational, created_at 2012_03_01, performance_impact Low, updated_at 2020_02_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; content:" Java/1.8.0_"; http_user_agent; content:!"241"; within:3; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:29; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Informational, created_at 2014_10_15, performance_impact Low, updated_at 2020_02_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 11.0.x Detected"; flow:established,to_server; content:"Java/11.0."; http_user_agent; content:!"6"; within:1; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html; classtype:bad-unknown; sid:2028867; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_18, updated_at 2020_02_18;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 13.0.x Detected"; flow:established,to_server; content:"Java/13.0."; http_user_agent; content:!"2"; within:1; http_user_agent; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category POLICY; reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html; classtype:bad-unknown; sid:2028869; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2019_10_18, updated_at 2020_02_18;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query for Suspicious TLD (.management)"; dns_query; content:".management"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2029509; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2020_02_20, performance_impact Low, updated_at 2020_02_20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; content:"GET"; http_method; content:"/update.logmein.com/"; nocase; fast_pattern; http_uri; http_header_names; content:!"Host|0d 0a|"; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:8; metadata:created_at 2010_07_30, updated_at 2020_02_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY EXE Base64 Encoded potential malware"; flow:established,from_server; file_data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern; content:!"<html"; nocase; content:!"<body"; nocase; content:!"<script"; nocase; metadata: former_category MALWARE; reference:url,urlhaus.abuse.ch/url/319004/; classtype:misc-activity; sid:2029538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_02_26, updated_at 2020_02_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OnePlus phone data leakage"; flow:to_server,established; content:"POST"; http_method; content:"/cloud/pushdata"; http_uri; isdataat:!1,relative; fast_pattern; content:"okhttp/"; depth:7; http_user_agent; content:"data="; depth:5; http_client_body; http_header_names; content:!"Referer|0d 0a|"; metadata: former_category POLICY; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025134; rev:4; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Minor, created_at 2017_12_06, malware_family Android_OnePlus, updated_at 2020_02_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http_header; nocase; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/C"; http_accept_enc; content:"gzip"; depth:4; http_header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; threshold:type threshold, track by_src, count 20, seconds 120; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:5; metadata:created_at 2016_03_28, updated_at 2020_02_28;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (avast .com)"; flow:established,to_server; content:"GET"; http_method; content:"ip-info.ff.avast.com"; fast_pattern; http_host; metadata: former_category POLICY; classtype:policy-violation; sid:2029575; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_03_04, performance_impact Low, updated_at 2020_03_04;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed External IP Lookup SSL Cert"; flow:from_server,established; tls_cert_subject; content:".iplocation.com"; nocase; fast_pattern; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category POLICY; classtype:trojan-activity; sid:2026882; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag IP_address_lookup_website, signature_severity Minor, created_at 2019_02_05, performance_impact Low, updated_at 2020_03_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (rl. ammyy. com)"; flow:to_server,established; urilen:1; content:"rl.ammyy.com"; http_host; depth:12; isdataat:!1,relative; fast_pattern; classtype:policy-violation; sid:2025149; rev:3; metadata:created_at 2017_12_13, updated_at 2020_03_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M2"; flow:established,to_server; content:"X-Requested-With|3a 20|ShockwaveFlash/"; http_header; fast_pattern; content:!"32.0.0.330|0d 0a|"; within:12; http_header; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category POLICY; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2024379; rev:33; metadata:affected_product Adobe_Flash, signature_severity Informational, created_at 2017_06_13, performance_impact Low, updated_at 2020_03_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Onion2Web Tor Proxy Cookie"; flow:established,to_server; content:"onion2web_confirmed="; http_cookie; fast_pattern; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; classtype:policy-violation; sid:2020324; rev:4; metadata:created_at 2015_01_28, updated_at 2020_03_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mattermost API Usage"; flow:established,to_server; content:"GET"; http_method; content:"/api/v4/teams/name/"; http_uri; content:"|0d 0a|Authorization|3a 20|Bearer|20|"; fast_pattern; http_header; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; metadata: former_category POLICY; reference:md5,df7e78609dd63fe9f3be87be0e2420fa; classtype:misc-activity; sid:2029599; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, deployment SSLDecrypt, signature_severity Minor, created_at 2020_03_09, performance_impact Low, updated_at 2020_03_09;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M1"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"32.0.0.255|0d 0a|"; within:12; http_header; content:!"32.0.0.293|0d 0a|"; within:12; http_header; content:!"32,0,0,255|0d 0a|"; within:12; http_header; content:!"32,0,0,293|0d 0a|"; within:12; http_header; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category POLICY; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:124; metadata:affected_product Adobe_Flash, signature_severity Informational, created_at 2012_05_09, performance_impact Low, updated_at 2020_03_11;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipify .org)"; flow:established,to_server; content:"/?format="; depth:9; http_uri; content:"api.ipify.org"; depth:13; isdataat:!1,relative; fast_pattern; http_host; metadata: former_category POLICY; classtype:policy-violation; sid:2029622; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_03_12, performance_impact Low, updated_at 2020_03_12;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbpcstatf.stat"; flow:established,to_server; content:"POST"; http_method; content:"|3c|LV|08|qbpcstatf|04|stat|7d 00|"; http_client_body; fast_pattern; content:"|05|crypt|18 00|"; http_client_body; distance:0; content:"|01 06 0a|list|3c|char|3e|"; http_client_body; distance:0; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category POLICY; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029632; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_03_13, performance_impact Low, updated_at 2020_03_13;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbkpireportbakf.stat"; flow:established,to_server; content:"POST"; http_method; content:"|3c|LV|0e|qbkpireportbakf|04|stat|7d 00|"; http_client_body; fast_pattern; content:"|05|crypt|18 00|"; http_client_body; distance:0; content:"|01 06 0a|list|3c|char|3e|"; http_client_body; distance:0; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category POLICY; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_03_13, performance_impact Low, updated_at 2020_03_13;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS *.dyn-ip24 .de Domain"; dns_query; content:".dyn-ip24.de"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2029638; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_03_16, performance_impact Low, updated_at 2020_03_16;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipstack .com)"; flow:established,to_server; content:"GET"; http_method; content:"api.ipstack.com"; http_host; depth:15; fast_pattern; content:"?access_key="; http_uri; metadata: former_category POLICY; classtype:policy-violation; sid:2029694; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2020_03_19, performance_impact Low, updated_at 2020_03_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded via ge.tt Filesharing Service"; content:"GET"; http_method; content:"/gett/"; http_uri; fast_pattern; depth:6; content:"?index="; http_uri; distance:0; content:"&user="; http_uri; distance:0; content:"&referrer="; http_uri; distance:0; content:"&download="; http_uri; distance:0; content:"ge.tt"; http_host; isdataat:!1,relative; flowbits:set,ET.ge.tt.download; metadata: former_category POLICY; classtype:misc-activity; sid:2029745; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_03_25, updated_at 2020_03_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Uploaded to ge.tt Filesharing Service"; flow:established,to_server; content:"POST"; http_method; content:"/upload/"; depth:8; content:"ge.tt"; http_host; fast_pattern; content:"|22 3b 20|filename=|22|"; http_client_body; metadata: former_category POLICY; classtype:misc-activity; sid:2029746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2020_03_25, updated_at 2020_03_25;)

alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to .burpcollector .net Domain"; dns_query; content:".burpcollector.net"; nocase; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2029826; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_04_07, updated_at 2020_04_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed DeepFreezeWeb User-Agent"; flow:established,to_server; content:"DeepFreezeWeb"; http_user_agent; depth:13; isdataat:!1,relative; metadata: former_category POLICY; classtype:policy-violation; sid:2029912; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_04_15, updated_at 2020_04_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (ip. jsontest .com)"; flow:to_server,established; content:"ip.jsontest.com"; http_host; depth:15; isdataat:!1,relative; fast_pattern; metadata: former_category POLICY; classtype:policy-violation; sid:2029923; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Informational, created_at 2020_04_16, updated_at 2020_04_16;)