- Updated to the latest complete rule set from Emerging Threats (see

author Michael Rash <mbr@cipherdyne.org>

Fri, 24 Dec 2010 04:39:26 +0000 (04:39 +0000)

committer Michael Rash <mbr@cipherdyne.org>

Fri, 24 Dec 2010 04:39:26 +0000 (04:39 +0000)
author Michael Rash <mbr@cipherdyne.org>
Fri, 24 Dec 2010 04:39:26 +0000 (04:39 +0000)
committer Michael Rash <mbr@cipherdyne.org>
Fri, 24 Dec 2010 04:39:26 +0000 (04:39 +0000)
diff --git a/ChangeLog b/ChangeLog

index d824774..3c4bead 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -24,6 +24,8 @@ fwsnort-1.5 (12//2011):
       even during the capabilities testing phase.
     - Added the --ipt-check-capabilities argument to have fwsnort test the
       capabilities of the local iptables firewall and exit.
+    - Updated to the latest complete rule set from Emerging Threats (see
+      http://www.emergingthreats.net/).
 
 fwsnort-1.1 (01/05/2010):
     - Added the ability to build an fwsnort policy that utilizes ip6tables
diff --git a/deps/snort_rules/emerging-all.rules b/deps/snort_rules/emerging-all.rules

index 2335a76..713d6b7 100644 (file)
--- a/deps/snort_rules/emerging-all.rules
+++ b/deps/snort_rules/emerging-all.rules
@@ -1,18 +1,15 @@
+# Emerging Threats 
 #
-# $Id: emerging-all.rules $
-# Emerging Threats rules. 
+# This distribution may contain rules under two different licenses. 
 #
-# SID's are 2000000+ to avoid conflicts
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
 #
-# More information available at www.emergingthreats.net
-#
-# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
-#
-#This is the MASTER list, this includes ALL rules
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
 #
 #*************************************************************
-#
-#  Copyright (c) 2003-2009, Emerging Threats
+#  Copyright (c) 2003-2010, Emerging Threats
 #  All rights reserved.
 #  
 #  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
@@ -33,14906 +30,44804 @@
 #  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
 #  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 #
+#*************************************************************
+#
+#
+#
 #
-#by kevin ross
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe Request flowbit set"; flow:established,to_server; uricontent:".pdf"; nocase; classtype:not-suspicious; flowbits:set,ET.pdf.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010499; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flowbits:isset,ET.pdf.request; flow:to_client,established; content:"media|2E|newPlayer"; nocase; content:"|28|null|28|"; nocase; within:8; content:"util|2E|printd"; nocase; distance:0; classtype:attempted-user; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:url,www.securityfocus.com/bid/37331; reference:cve,2009-4324; reference:url,doc.emergingthreats.net/2010495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010495; rev:6;)
 
-#by evilghost
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe 0day Shovelware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\:"; nocase; uricontent:"/ppp/listdir.php?dir="; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/U"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010496; rev:2;)
+# This Ruleset is EmergingThreats Open optimized for snort-2.9.0.
+#by Jaime Blasco
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009345; rev:7;)
 
+#by Jaime Blasco
+#
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401";  http_stat_code;  threshold:type both, track by_dst, count 30, seconds 60; classtype:attempted-recon; reference:url,doc.emergingthreats.net/2009346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_401_Unauthorized; sid:2009346; rev:7;)
 
 #by David Wharton
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; content:"<script src=http\://www.ads-t.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010032; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (bannert.ru)"; flow:established,from_server; content:"<script src=http\://www.bannert.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010033; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (bannerdriven.ru)"; flow:established,from_server; content:"<script src=http\://www.bannerdriven.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010034; rev:3;)
+#
+##alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; fast_pattern:only; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009146; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009146; rev:4;)
 
-#by Daniel Sheperd
-alert udp any any -> any 53 (msg:"ET CURRENT_EVENTS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; distance:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind; sid:2009701; rev:3;)
+#by David Wharton
+#
+##alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; fast_pattern:only; nocase; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009147; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009147; rev:4;)
 
-#matt jonkman, idea from Jason Weir
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"DHL_"; within:50; pcre:"/filename\s*=\s*"DHL_(package_label_|print_label_).....\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010148; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"Facebook_Password"; within:50; pcre:"/filename\s*=\s*"Facebook_Password_.....\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010166; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS WU Malicious Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"WU_Details_"; within:50; pcre:"/filename\s*=\s*"WU_Details_.....\.zip/m"; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; reference:url,doc.emergingthreats.net/2010376; sid:2010376; rev:2;)
+#by David Wharton
+#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; fast_pattern:only; nocase; classtype:web-application-activity; reference:url,doc.emergingthreats.net/2009149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_ASPXSpy; sid:2009149; rev:4;)
 
-#by jason weir and wolvee
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound (1)"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"Facebook_Password"; within:50; pcre:"/filename\s*=\s*Facebook_Password_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010497; rev:2;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"Facebook"; within:50; pcre:"/filename\s*=\s*Facebook_(Password|Support)_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010498; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010498; rev:2;)
+#by Jaime Blasco
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; fast_pattern:only; classtype:bad-unknown; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Cisco_TCL_Shell; sid:2009244; rev:3;)
 
-#by many very smart people
-# This may be a high load sig. Take time and seriously consider
-# that your dns_servers var is set as narrowly as possible
-alert udp any 53 -> $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008446; rev:9;)
+#by Jaime Blasco
+#
+alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; fast_pattern:only; classtype:bad-unknown; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Cisco_TCL_Shell; sid:2009245; rev:3;)
 
-#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you
-#alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008470; rev:3;)
-#by Greg Martin at Econet
-alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008447; rev:6;)
-alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008475; rev:3;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009246; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009246; rev:3;)
 
-#by RPG
-alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS NS query for a single dot, possible ddos"; content:"|01 00 00 01 00 00 00 00 00 00 00 00 02 00 01|"; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-dos; reference:url,isc.sans.org/diary.html?storyid=5713; reference:url,doc.emergingthreats.net/bin/view/Main/2009030; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_dot; sid:2009030; rev:3;)
+#by Jaime Blasco
+#
+alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009285; rev:2;)
 
-#by evilghost
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; uricontent:"/Inst_58s6.exe"; nocase; classtype:trojan-activity; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2010339; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009247; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009247; rev:3;)
 
-#by mike cox
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; classtype:successful-user; reference:url,kb27.co.kr/data/id1.txt; reference:url,n34.biz/id1.txt; reference:url,doc.emergingthreats.net/2010463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FeeLCoMz; sid:2010463; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009284; rev:2;)
 
-#by Philipp Bescht
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt)"; flow:established,to_server; uricontent:"/17PHolmes.cmt"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008394; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Holmes; sid:2008394; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009248; rev:3;)
 
-#by mareadmin
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding\: pack200-gzip"; within:55;classtype:attempted-user;reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java; sid:2009665; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009283; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009283; rev:2;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL; sid:2008909; rev:2;)
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL; sid:2008910; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009249; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009249; rev:3;)
 
-#sigs for the ms vidctl 0-day. These should be removed in a few days, around 7/10 if the domains are gone
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (milllk.com)"; flow:established,to_server; content:"|0d 0a|Host\: milllk.com|0d 0a|"; depth:200; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009488; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MSVidCtl 0-day Related HTTP Request (8oy4t.8866.org)"; flow:established,to_server; content:"|0d 0a|Host\: 8oy4t.8866.org|0d 0a|"; depth:200; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009489; rev:3;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009282; rev:2;)
 
-#by David Wharton
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009490; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro"; nocase; content:"logo.gif"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009491; rev:3;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009250; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009250; rev:3;)
 
-#by Greg Martin
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential MSVidCtl 0-day URL"; flow:to_server,established; uricontent:"/aa/go.jpg"; nocase; classtype: attempted-admin; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009492; rev:3;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009281; rev:2;)
 
-#by anonymous #1
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009493; rev:3;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009251; rev:3;)
 
-#by wolvee
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; content:"clsid"; nocase; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009598; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; content:"clsid"; nocase; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009599; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; content:"clsid"; nocase; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009600; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; content:"clsid"; nocase; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009601; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; content:"clsid"; nocase; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009602; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; content:"clsid"; nocase; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009603; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009603; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009604; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009604; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (36)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCD-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCD-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009605; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009605; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009606; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009607; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (39)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CD0-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CD0-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009608; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009608; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; content:"clsid"; nocase; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009609; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009609; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; content:"clsid"; nocase; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009610; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; content:"clsid"; nocase; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009611; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (43)"; flow:to_client,established; content:"clsid"; nocase; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009612; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; content:"clsid"; nocase; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009613; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; content:"clsid"; nocase; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009614; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009614; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; content:"clsid"; nocase; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009615; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009615; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009616; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009617; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; content:"clsid"; nocase; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009618; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009618; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; content:"clsid"; nocase; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009619; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; content:"clsid"; nocase; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009620; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; content:"clsid"; nocase; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009621; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; content:"clsid"; nocase; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009622; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; content:"clsid"; nocase; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009623; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; content:"clsid"; nocase; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009624; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; content:"clsid"; nocase; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009625; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009625; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009626; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009627; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009627; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; content:"clsid"; nocase; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009628; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; content:"clsid"; nocase; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009629; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009629; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; content:"clsid"; nocase; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009630; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; content:"clsid"; nocase; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009631; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; content:"clsid"; nocase; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009632; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009632; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; content:"clsid"; nocase; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009633; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009633; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; content:"clsid"; nocase; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009634; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009635; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009635; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009636; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; content:"clsid"; nocase; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009638; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; content:"clsid"; nocase; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009639; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; content:"clsid"; nocase; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009640; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009641; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009642; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009280; rev:2;)
 
-#by Christopher Campesi
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; classtype:attempted-dos; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_SMB_DOS; sid:2009886; rev:4;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009252; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009252; rev:3;)
 
-#by Chandan at Secpod
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"clsid"; nocase; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008407; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"clsid"; nocase; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008408; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008409; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009279; rev:2;)
 
-#new mac dns changer trojan. Not a lot of detail yet, but this will catch the UA
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Mac DNS Changer Trojan UA Detected"; flow:established,to_server; uricontent:"cgi-bin/generator.pl"; content:"|0d 0a|User-Agent|3a| "; content:"\;typeofrun\;7777\;"; distance:3; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008796; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mac_DNSChanger; sid:2008796; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009253; rev:3;)
 
-#by Jamie Blasco of OSSIM based on malwareurl.com data
-#Last updated October 6, 2009
-#266 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - installer_1.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer_1.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010049; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010049; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009278; rev:2;)
 
-#174 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - Antivirus_21.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/download/Antivirus_"; nocase; uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010050; rev:3;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009254; rev:3;)
 
-#139 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/install/ws.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010051; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010051; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009277; rev:2;)
 
-#105 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/install/ws.zip"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010052; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010052; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009255; rev:3;)
 
-#139 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer/InstallerClean.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010053; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010053; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009276; rev:2;)
 
-#117
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (codex.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/codec.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010054; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009256; rev:3;)
 
-#107
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/pcdef.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010055; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009275; rev:2;)
 
-#93 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/codec/197.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010056; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009257; rev:3;)
 
-#91 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - installpv.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installpv.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010057; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009274; rev:2;)
 
-#70 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/softwarefortubeview.40009.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010058; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009258; rev:3;)
 
-#56 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely Unknown Trojan Infostealer Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/crack.45000.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010059; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009273; rev:2;)
 
-#51 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/Soft_21.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010060; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009259; rev:3;)
 
-#47 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - InternetAntivirusPro.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/InternetAntivirusPro.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010061; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009272; rev:2;)
 
-#30 ocurrences
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - AntivirusPlus.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/AntivirusPlus.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010062; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009260; rev:3;)
 
-#by evilghost 11/2/09
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; uricontent:"ts/in.cgi?pepsi"; pcre:"/ts\/in\.cgi\?pepsi\d+/U"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010222; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009271; rev:2;)
 
-#matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe"; flow:established,to_server; uricontent:"flash-HQ-plugin.40000.exe"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010440; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009261; rev:3;)
 
-#by mike cox
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus downloader (installer.1.exe)"; flow:established,to_server; uricontent:"/installer.1.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010443; sid:2010443; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010444; sid:2010444; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, java exploit"; flow:established,to_server; uricontent:"/ssp/files/sdfg.jar"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010445; sid:2010445; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010446; sid:2010446; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010448; sid:2010448; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010449; sid:2010449; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009270; rev:2;)
 
-#by evilghost
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"installer."; nocase; uricontent:".exe"; nocase; pcre:"/installer\.\d+\.exe/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010452; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"installer_"; nocase; uricontent:".exe"; nocase; pcre:"/installer_\d+\.exe/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010453; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009262; rev:3;)
 
-#by evilghost
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download.php?id=)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"download.php?id="; pcre:"/download\.php\?id=\d+/U"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010464; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"download/install.php"; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010465; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009269; rev:2;)
 
-#by matt jonkman, re http://www.incidents.org/diary.html?storyid=4405
-# Mass File Injection attacks
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008206; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections; sid:2008206; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008207; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections; sid:2008207; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009263; rev:3;)
 
-#by evilghost
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"nacha.org."; nocase; uricontent:".exe"; nocase; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Nacha; sid:2010342; rev:3;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009268; rev:2;)
 
-#by wolvee
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OWC9 RecordNavigationControl Activex Remote Code Excution attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"0002E531-0000-0000-C000-000000000046"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E531-0000-0000-C000-000000000046/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010102; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010102; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OWC9 FieldList Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"4C85388F-1500-11D1-A0DF-00C04FC9E20F"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4C85388F-1500-11D1-A0DF-00C04FC9E20F/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010103; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010103; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OWC9 ExpandControl Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"0002E532-0000-0000-C000-000000000046"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E532-0000-0000-C000-000000000046/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010104; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010104; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OWC10 RecordNavigationControl Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"0002E554-0000-0000-C000-000000000046"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E554-0000-0000-C000-000000000046/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010105; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010105; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS OWC11 Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"0002E55C-0000-0000-C000-000000000046"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0002E55C-0000-0000-C000-000000000046/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010106; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010106; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Visio Viewer 2002-2007 Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"279D6C9A-652E-4833-BEFC-312CA8887857"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*279D6C9A-652E-4833-BEFC-312CA8887857/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010107; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010107; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Live Mail Mail Object Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010108; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010108; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Live Mail Mesg Table Object Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"C832BE8F-4B89-4579-A217-DB92E7A27915"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C832BE8F-4B89-4579-A217-DB92E7A27915/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010109; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010109; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Live Mail Mime Editor Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"A9A7297E-969C-43F1-A1EF-51EBEA36F850"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A9A7297E-969C-43F1-A1EF-51EBEA36F850/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010110; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Live Mail Message List Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"DD8C2179-1B4A-4951-B432-5DE3D1507142"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DD8C2179-1B4A-4951-B432-5DE3D1507142/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010111; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010111; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MSN Photo Upload Tool Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"4F1E5B1A-2A80-42ca-8532-2D05CB959537"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F1E5B1A-2A80-42ca-8532-2D05CB959537/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010112; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010112; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 1 Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"27A3D328-D206-4106-8D33-1AA39B13394B"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27A3D328-D206-4106-8D33-1AA39B13394B/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010113; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010113; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 2 Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"DB640C86-731C-484A-AAAF-750656C9187D"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DB640C86-731C-484A-AAAF-750656C9187D/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010114; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 3 Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"15721a53-8448-4731-8bfc-ed11e128e444"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15721a53-8448-4731-8bfc-ed11e128e444/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010115; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010115; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Office Excel Add-in for SQL Analysis Services 4 Activex Remote Code Excution Attempt(MS09-055)"; flow:established,to_client; content:"clsid"; nocase; content:"3267123E-530D-4E73-9DA7-79F01D86A89F"; nocase; distance:0; content:"OleLoadFromStream"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3267123E-530D-4E73-9DA7-79F01D86A89F/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-055.mspx; reference:cve,CVE-2009-2493; reference:url,doc.emergingthreats.net/2010116; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010116; rev:3;)
-
-#The below rules can be kept in CURRENT_EVENTS. as I didn't get much
-#information about them but we can alert them when they are loading.
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Indexing Service Activex Remote Code Execution CLSID Access Attempt (MS09-057)"; flow:established,to_client; content:"clsid"; nocase; content:"A4463024-2B6F-11D0-BFBC-0020F8008024"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A4463024-2B6F-11D0-BFBC-0020F8008024/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-057.mspx; reference:cve,CVE-2009-2507; reference:url,doc.emergingthreats.net/2010117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010117; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Silverlight Activex CLSID Access Attempt (MS09-061)"; flow:established,to_client; content:"clsid"; nocase; content:"DFEAF541-F3E1-4C24-ACAC-99C30715084A"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DFEAF541-F3E1-4C24-ACAC-99C30715084A/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-061.mspx; reference:cve,CVE-2009-2497; reference:url,doc.emergingthreats.net/2010117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010120; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RSClientPrint Activex CLSID Access Attempt (MS09-062)"; flow:established,to_client; content:"clsid"; nocase; content:"41861299-EAB2-4DCC-986C-802AE12AC499"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41861299-EAB2-4DCC-986C-802AE12AC499/si"; classtype:web-application-attack; reference:url,www.microsoft.com/technet/security/bulletin/MS09-062.mspx; reference:cve,CVE-2009-2500; reference:url,doc.emergingthreats.net/2010118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Patch_Tuesday; sid:2010118; rev:3;)
-
-
-#by Paul Dokas. Testing this out for a bit...
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx"; nocase; distance:4; within:300; content:"Content-Type|3a| application/pdf"; nocase; within: 400; content:"Content-Disposition|3a| inline"; nocase; within: 400; threshold:type limit, seconds 60, count 10, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF; sid:2009076; rev:2;)
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009264; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009264; rev:3;)
 
-##Jaime Blasco Alienvault VRT
-#PSYB0T related Activity
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Psyb0t Code Download"; flow:established,to_server; uricontent:"/udhcpc.env"; nocase; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009170; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK [NIP]-.*/i"; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009171; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Psyb0t joining an IRC Channel"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"JOIN #mipsel"; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009172; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009267; rev:2;)
 
+#by Jaime Blasco
+#
+#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009265; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009265; rev:3;)
 
-# New variant by Frank Knobbe
-# GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport
-# and GET /nonexistenshit
-# Just using /bin/msgimport for simplicity
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2"; flow:to_server,established; uricontent:"/bin/msgimport"; nocase; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2008990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2008990; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check"; flow:to_server,established; uricontent:"/nonexistenshit"; nocase; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2008991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2008991; rev:2;)
+#by Jaime Blasco
+#
+#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2009266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Common_ShellCode; sid:2009266; rev:2;)
 
-#by David Wharton
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"Accept|3a| ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw=="; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2009006; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2009006; rev:3;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"echo (333212+43245666).|22| |22|\;\;passthru(|22|uname -a\;id|22|)\;"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2009007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2009007; rev:2;)
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"<b>{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}</b>"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2009008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2009008; rev:2;)
+#by Jaime Blasco
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a|\\WINDOWS\\system32\\"; fast_pattern:only; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_FTP; sid:2008556; rev:7;)
 
-#by Jeffrey Brown. re 308c6885573ce652bab37c739f52cb19
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS New Malware Information Post"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|Pragma\: no-cache|0d 0a 0d 0a|"; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; distance:4; within:14; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Rusibank.com; sid:2009092; rev:2;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000499; rev:9;)
 
-#by Michael Sconzo of ERCOT
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/jpeg/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008313; rev:4;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/gif/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008314; rev:4;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/png/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008315; rev:4;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000500; rev:9;)
 
-#Greg Martin
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; content:!"nextgen-gallery"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:3;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000501; rev:9;)
 
-#by Jack Pepper
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http\://"; nocase; content:!"nextgen-gallery"; within:15; content:"/ngg.js>"; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; sid:2008387; rev:4;)
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http\://"; nocase; content:"/b.js>"; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008388; rev:3;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000502; rev:9;)
 
-#sig by matt jonkman, researcher anonymous
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Tigger.a/Syzor Control Checkin"; flow:established,to_server; uricontent:"/track.cgi"; content:"POST "; depth:5; content:"|0d 0a 0d 0a|u="; distance:50; within:400; content:"&t="; distance:0; content:"&v="; distance:0; content:"&f="; distance:0; content:"&z="; distance:0; classtype:trojan-activity; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Tigger; sid:2009096; rev:4;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000503; rev:9;)
 
-#putting this in current events to see how badly it falses.
-# Looking for a simple thing, but the pws's use this pretty reliably, and hopefully it's not too common in the real world
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN PWS-OnlineGames or variant Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/help.rar"; classtype:trojan-activity; reference:url,www.threatexpert.com/reports.aspx?find=help.rar; reference:url,doc.emergingthreats.net/bin/view/Main/2008948; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Trojan_PWS_Onlinegamestealer; sid:2008948; rev:2;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000504; rev:9;)
 
-#by Pedro Marinho, re 58816f781154bda381fdcb1e3fab7bdd
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/config/fgun_install_"; content:"|0d 0a|User-Agent\: NSI SDL/1.2 (Mozilla)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008359; rev:3;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000505; rev:9;)
 
-#different trojan, by marcus at unsober
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET "; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008368; rev:3;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000506; rev:9;)
 
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000507; rev:9;)
 
-#Another unknown, needs a name. Sig by Pedro Marinho
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Unknown Initial Checkin"; flow:established,to_server; dsize:<5; content:"id="; depth:3; flowbits:noalert; flowbits:set,ET.unknid; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008496; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Unknown Checkin"; flowbits:isset,ET.unknid; flow:established,to_server; dsize:100<>200; content:"&idate="; content:"&os="; content:"&wmid="; content:"&msg="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008497; rev:2;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; fast_pattern:only; nocase; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hidden_FTP_File_Activity; sid:2000508; rev:9;)
 
+#by Matt Jonkman
+#seeing some worms/trojans use an ftp server with all banners stripped out
+#on off ports to download payload after the initial compromise.
+#Just stats codes, no welcome, etc. Very unique
+#something like:
+#220
+#USER a
+#331
+#PASS a
+#230
+#TYPE I
+#200
+#PORT 10,2,32,214,4,9
+#200
+#RETR msnnmaneger.exe
+#150
+#226
+#QUIT
+#221
+#removing a few to simplify
+#
+#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftpuser; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007715; rev:9;)
 
-# Unknown handshake over SMTP discovered by Thierry Chich and reported on mail list. Added by Frank Knobbe 2008-09-17.
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Suspicious SMTP handshake outbound"; flow:established,to_server; content:"001 RUTHERE"; depth:11; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008562; rev:3;)
-alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET TROJAN Suspicious SMTP handshake reply"; flow:established,from_server; content:"701 IMHERE"; depth:10; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008563; rev:3;)
+#by Matt Jonkman
+#seeing some worms/trojans use an ftp server with all banners stripped out
+#on off ports to download payload after the initial compromise.
+#Just stats codes, no welcome, etc. Very unique
+#something like:
+#220
+#USER a
+#331
+#PASS a
+#230
+#TYPE I
+#200
+#PORT 10,2,32,214,4,9
+#200
+#RETR msnnmaneger.exe
+#150
+#226
+#QUIT
+#221
+#removing a few to simplify
+#
+#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007717; rev:7;)
 
-#by Victor Julien
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008779; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008779; rev:4;)
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008780; rev:4;)
+#by Matt Jonkman
+#seeing some worms/trojans use an ftp server with all banners stripped out
+#on off ports to download payload after the initial compromise.
+#Just stats codes, no welcome, etc. Very unique
+#something like:
+#220
+#USER a
+#331
+#PASS a
+#230
+#TYPE I
+#200
+#PORT 10,2,32,214,4,9
+#200
+#RETR msnnmaneger.exe
+#150
+#226
+#QUIT
+#221
+#removing a few to simplify
+#
+#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Hostile_FTP; sid:2007723; rev:8;)
 
-#by phrantic
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ZBot EXE Download (personalfile/pdf.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"bankinsured/failed/personalfile/pdf.exe"; classtype:trojan-activity; reference:url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/20102449; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot; sid:2010249; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ZBot EXE Download (personalfile/word.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"bankinsured/failed/personalfile/word.exe"; classtype:trojan-activity; reference:url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010250; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot; sid:2010250; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ZBot EXE Download (updatetool.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"globaldirectory/updatetool.exe"; classtype:trojan-activity; reference:url,www.malwareurl.com/search.php?domain=&s=globaldirectory%2Fupdatetool.exe&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zbot; sid:2010251; rev:2;)
+#matt jonkman, info from qru
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_LMHosts_Download; sid:2008559; rev:6;)
 
-#by anon 4
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/perce/"; uricontent:"/qwerce.gif"; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010231; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/werber/"; uricontent:"/217.gif"; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010232; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download"; flow:established,to_server; uricontent:"/item/"; uricontent:"/titem.gif"; content:"GET "; depth:4; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010233; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/senm.php?data="; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010234; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/perce/"; uricontent:"/qwerce.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010235; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/werber/"; uricontent:"/217.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010236; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/item/"; uricontent:"/titem.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010237; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/report.php?data="; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010238; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/arrows/"; uricontent:"/arrow_up.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959; reference:url,doc.emergingthreats.net/2010239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010239; rev:3;)
+#Matt Jonkman, information from Stephen Gill at Cymru
+#
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002809; rev:5;)
 
-#by matt jonkman
-alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|03|chr|0b|santa-inbox|03|com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com; sid:2008531; rev:2;)
+#Matt Jonkman, information from Stephen Gill at Cymru
+#
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002810; rev:4;)
 
-#Submitted by Jason Haar
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2000930; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001397; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001399; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?"; nocase; uricontent:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001400; rev:8;)
+#Matt Jonkman, information from Stephen Gill at Cymru
+#
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2002811; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002001; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002003; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002048; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002099; rev:4;)
+#Matt Jonkman, information from Stephen Gill at Cymru
+#
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:5;)
 
-#By M Shirk from Listening Post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002354; rev:4;)
+#Matt Jonkman, information from Stephen Gill at Cymru
+#Daniel Clemens, cleaned up distance usage
+#
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; nocase; classtype:trojan-activity; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003465; rev:5;)
 
-#Matt Jonkman. Bundled from Warner Brothers Kids site.. can you believe that crap? Guess where my kids WON'T be spending my money....
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; uricontent:"/actionurls/ActionUrlb"; nocase; uricontent:"partnerid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003057; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; uricontent:"/Zango/ZangoInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003058; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; uricontent:"/ZangoTBInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003059; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; uricontent:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003060; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; uricontent:"/php/uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003061; rev:3;)
+#Matt Jonkman, off port ftp banners
+#
+alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2007725; rev:6;)
 
-#New zango url
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware Activity"; flow:to_server,established; uricontent:"/banman/banman.asp?ZoneID="; nocase; uricontent:"&Task="; nocase; uricontent:"&X="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003170; rev:3;)
+#Matt Jonkman, off port ftp banners
+#
+alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2007726; rev:6;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; uricontent:"config.aspx"; nocase; uricontent:"?ver="; nocase; content:"HTTP"; nocase; content:!"User-Agent\: "; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003217; rev:5;)
+#by Jaime Blasco
+#
+alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2009210; rev:3;)
 
-#more from the spywarelp
-#Matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; uricontent:"/trackedevent.aspx?"; nocase; uricontent:"ver="; nocase; uricontent:"&pkg_ver="; nocase; uricontent:"&rnd="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003306; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003610; rev:3;)
+#by Jaime Blasco
+#
+alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2009211; rev:3;)
 
-#by Russ McRee
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware Post"; flow:to_server,established; uricontent:"/te.aspx?ver="; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid:2007607; rev:4;)
+#by josh smith
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; content:"Accept-Encoding|3a| identity"; http_header; content:"Next|2d|Polling"; http_header; content:"Content|2d|Salt|3a| "; http_header; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/Hi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010795; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Matahari; sid:2010795; rev:11;)
 
-#Submitted by Joel Esler
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid: 2000327; rev:9;)
+#by Kevin Ross
 #
-#Submitted by Jason Haar
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid: 2000934; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009558; rev:5;)
 
-# by: Jeremy Conway at sudosecure.net
-#ref: 2b8175726f2dde727132299992dafbe9
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"IpAddr="; nocase; uricontent:"&OS="; nocase; uricontent:"&RegistryChanged="; nocase; uricontent:"&RegistryUpdate="; nocase; uricontent:"&NewInstallation="; nocase; uricontent:"&utilMissing="; nocase; uricontent:"&Basedir="; nocase; uricontent:"&BundleID="; nocase; uricontent:"&InitInstalled="; nocase; uricontent:"&Interval="; nocase; uricontent:"&LastInitRun="; nocase; uricontent:"&LastInitVer="; nocase; uricontent:"&LastSrngRun="; nocase; uricontent:"&LastUtilRun="; nocase; uricontent:"&SrngInstalled="; nocase; uricontent:"&SrngVer="; nocase; uricontent:"&UtilInstalled="; nocase; uricontent:"&UtilVer="; nocase; uricontent:"&PCID"; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid:2009807; rev:2;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009559; rev:4;)
 
-#Submitted by Chris Norton
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2nd-Thought; sid: 2001447; rev:7;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009560; rev:4;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; uricontent:"/?fixtool="; nocase; content:"GET /?fixtool="; offset:0; depth:16; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_360safe.com; sid:2008036; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; uricontent:"/?KillerSet="; nocase; content:"GET /?KillerSet="; offset:0; depth:16; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_360safe.com; sid:2008149; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009561; rev:4;)
 
-#from spyware listening post data, by matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; uricontent:"/sa.aspx?id="; nocase; uricontent:"&refe=http"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_51yes.com; sid:2003620; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009562; rev:4;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV"; nocase; uricontent:"?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_A-d-w-a-r-e.com; sid: 2001730; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_A-d-w-a-r-e.com; sid: 2001735; rev:7;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009563; rev:4;)
 
-#By Mark Tombaugh
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ABX_Toolbar; sid: 2001761; rev:5;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009564; rev:4;)
 
-#By Matt Jonkman, From spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; uricontent:"/cgi-bin/search/mxml.fcgi?"; nocase; uricontent:"Terms="; nocase; uricontent:"&affiliate="; nocase; uricontent:"&subid="; nocase; uricontent:"&Hits_Per_Page="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abcsearch.com; sid:2003438; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009565; rev:4;)
 
-#Submitted by cooljay
-alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abox; sid: 2001440; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abox; sid: 2001441; rev:11;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009566; rev:4;)
 
-#by Matt Jonkman from Listening Post Data
-#Disabling, obsoleting. To be delleted in a month or so
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adultfriendfinder.com; sid:2002353; rev:4;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009567; rev:4;)
 
-#by Philipp Bescht
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; uricontent:"/cnconfig.gz?ct="; uricontent:"&bp="; uricontent:"&vs="; uricontent:"&country="; uricontent:"&grp="; uricontent:"&tcpc="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advert-network.com; sid:2008419; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/check.php?tcpc="; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advert-network.com; sid:2008425; rev:2;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009568; rev:4;)
 
-#by Matt Jonkman
-#spyware, from the sandnet
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; uricontent:"?UID="; nocase; uricontent:"&DIST="; nocase; uricontent:"&NPR="; nocase; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertisementserver.com; sid:2007601; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; uricontent:"monitor.php"; nocase; uricontent:"?UID="; nocase; pcre:"/UID=\d+/Ui"; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertisementserver.com; sid:2007602; rev:4;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009569; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2001228; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2001230; rev:8;)
-#From Listening Post data
-#Hits on normal ads, not reporting data
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2002304; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009570; rev:4;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware Command Client Checkin"; flow: to_server,established; uricontent:"/client.php?str="; nocase; content:"User-Agent\: "; nocase; content:"Indy Library)"; within:30; nocase; classtype: policy-violation; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command; sid: 2003446; rev:4;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009571; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adwave; sid: 2001318; rev:7;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009572; rev:4;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adwave; sid: 2001450; rev:11;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009573; rev:4;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001529; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001530; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001737; rev:6;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009574; rev:5;)
 
-#by Matt Jonkman from listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\:/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2002349; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; uricontent:"/data?"; nocase; uricontent:"cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&uid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003219; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; uricontent:"/data/"; nocase; uricontent:"&cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&url="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003606; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; uricontent:"/redirect?http"; nocase; content:"Host\: redirect.alexa.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003619; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009575; rev:5;)
 
-#Modified and added to by Matt Jonkman (Original author missing)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000906; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000598; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000907; rev:9;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009576; rev:4;)
 
-#fake antispyware package, sig by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; uricontent:"/stat.php?machine_id={"; nocase; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Anti-virus-pro.com; sid:2007886; rev:2;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009577; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Avres; sid: 2000903; rev:6;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009578; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:7;)
+#by Kevin Ross
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009579; rev:4;)
 
-#Matt Jonkman from spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; uricontent:"/update/barcab/"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003340; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; uricontent:"/update/cab/loadmovie.swf"; nocase; content:"bar.baidu.com"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003341; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; uricontent:"/cpro/ui/ui"; nocase; content:"baidu.com"; nocase; content:!"Referer\: "; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003578; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; uricontent:"/n?cmd="; nocase; uricontent:"&class="; nocase; uricontent:"&pn="; nocase; uricontent:"&tn"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003605; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; uricontent:"/sobar/sobar"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003630; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009580; rev:4;)
 
-#by Jeremy at sudosecure.net
-#ref: c182bfbaff0a5187c95020d4ae602ac0
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET "; depth:4; uricontent:"|2E|php|3F|zone="; nocase; uricontent:"|26|name="; nocase; uricontent:"|26|bpid="; nocase; uricontent:"|26|bnum="; nocase; uricontent:"|26|pid="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BarAce; sid:2008318; rev:3;)
+#by Kevin Ross
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; classtype:successful-user; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009651; rev:5;)
 
-#Submitted by Jonathan Miner
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bargain_Buddy; sid: 2000574; rev:9;)
+#by shirkdog
+#
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; fast_pattern; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; classtype:successful-admin; reference:url,doc.emergingthreats.net/2009581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2009581; rev:4;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Beautyscreens.com Related Spyware Install Success Report"; flow:established,to_server; uricontent:"ip="; nocase; uricontent:"&id="; nocase; uricontent:"&sid="; nocase; uricontent:"&snip="; nocase; uricontent:"&itemname="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008018; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Beautyscreens.com; sid:2008018; rev:2;)
+#by Varga-Perke Balint
+#
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; fast_pattern:only; classtype:successful-admin; reference:url,doc.emergingthreats.net/2010454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Meterpreter; sid:2010454; rev:4;)
 
-#By John Stewart
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Begin2Search; sid: 2001885; rev:6;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:9;)
 
-#Matt Jonkman, caught off of fastmp3search.com.ar
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; uricontent:"/checkin.php?"; nocase; uricontent:"unq="; nocase; uricontent:"version="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003209; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"&pais="; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003210; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; uricontent:"/ping.php?"; nocase; uricontent:"ul=http"; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003211; rev:3;)
+#Submitted by Joel Esler
+#
+alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"|3a|"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000346; rev:10;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Checkin"; flow:established,to_server; uricontent:"/adv/"; nocase; uricontent:"/adload.php?a1="; nocase; uricontent:"&a2=Type of Processor\:"; nocase; uricontent:"&a3=Windows version is "; nocase; uricontent:"&a4=Build\:"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002955; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; uricontent:"/vxgame1/vxv.php"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002956; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; uricontent:"/win32.exe"; nocase; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002957; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; uricontent:"/sploit.anr"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2003153; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; uricontent:"/objects/ocget.dll"; nocase; content:"mybest"; nocase; depth:150; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2003154; rev:4;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Private message on non-std port"; flow: to_server,established; dsize: <128; content:"PRIVMSG "; nocase; offset: 0; depth: 8; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000347; rev:9;)
 
-#Submitted by Jonathan Miner
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000366; rev:12;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000367; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000371; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000593; rev:7;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Channel JOIN on non-std port"; flow: to_server,established; dsize: <64; content:"JOIN "; nocase; offset: 0; depth: 5; pcre:"/&|#|\+|!/R"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000348; rev:9;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001198; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001199; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001216; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001339; rev:7;)
-#Data from Allison Macfarland
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001576; rev:6;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - DCC file transfer request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" |3a|.DCC SEND"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000349; rev:9;)
 
-#Submitted by Matt Jonkman
-# Disabling this rule, it needs work. It's hitting on legit ad referrals
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bfast.com; sid: 2001398; rev:7;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - DCC chat request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" |3a|.DCC CHAT chat"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000350; rev:10;)
 
-#from spyware LP data, by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/zuzu.php?&r="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bizconcept.info; sid:2005319; rev:3;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - channel join on non-std port"; flow: to_server,established; content:"JOIN |3a| #"; nocase; offset: 0; depth: 8; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000351; rev:10;)
 
-#Submitted by Allison MacFarlan
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bonzi; sid: 2001345; rev:7;)
+#Submitted by Joel Esler
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET ATTACK_RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000352; rev:9;)
 
-#by Jeffrey Brown
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Borlander Adware Checkin"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"?t="; nocase; uricontent:"&i="; nocase; uricontent:"&v="; nocase; uricontent:"&d="; nocase; uricontent:"&a="; nocase; uricontent:"&n="; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Borlander.com.cn; sid:2008736; rev:2;)
+#Erik Fichtner
+#
+#alert tcp $HOME_NET any -> any 6667 (msg:"ET ATTACK_RESPONSE Likely Botnet Activity"; flowbits:isset,is_proto_irc; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; nocase; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2001620; rev:8;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; uricontent:"/bravesentry.exe"; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2002954; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2003541; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; uricontent:"/download.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2003542; rev:3;)
+#By Chris Norton
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From|3a| anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent|3a| PHP"; nocase; classtype: web-application-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Outbound_PHP_Fopen; sid:2001628; rev:9;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Browseraid; sid: 2001266; rev:12;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Browseraid; sid: 2001304; rev:7;)
+#by Cees Elzinga
+#note: most effective with a deep flow depth, or 0
+#
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; file_data; content:"r57shell - http-shell by RST/GHC"; fast_pattern:only; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:8;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bullseye-Network.com; sid: 2001501; rev:6;)
+#by Cees Elzinga
+#note: most effective with a deep flow depth, or 0
+#
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; fast_pattern; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:9;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001451; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001452; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001458; rev:5;)
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007651; rev:6;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:26; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_C4tdownload.com; sid: 2001531; rev:12;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_C4tdownload.com; sid: 2002088; rev:5;)
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007652; rev:6;)
 
-#from sandnet analysis, called CASClient by Kaspersky
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkmac.php?mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CASClient; sid:2006403; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/ctrv.php"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CASClient; sid:2006404; rev:3;)
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007653; rev:6;)
 
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007654; rev:6;)
 
-#By Matt Jonkman, From spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; uricontent:"/download/CnsMin"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003417; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; uricontent:"/download/CnsUp"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003418; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; uricontent:"/download/autolvsw.ini?"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003419; rev:3;)
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007655; rev:6;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002089; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002095; rev:5;)
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007656; rev:6;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; uricontent:"/progs_traff/"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002931; rev:3;)
+#by Ryan Macdonald of R-fx networks (www.rfxn.com)
+#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:6;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Related Installer"; flow:established,to_server; uricontent:"/livesupport/image_tracker.php?"; nocase; uricontent:"l=support&"; nocase; uricontent:"x=1&"; nocase; uricontent:"deptid=1&"; nocase; uricontent:"&page=http"; nocase; uricontent:"&unique="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002932; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; uricontent:"/?advid="; nocase; content:"spy-sheriff.com"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002933; rev:3;)
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Callinghome.biz; sid: 2001521; rev:10;)
+#by Christian Teutenberg
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; content:"?action=checkPort&port="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Java/"; distance:0; classtype:trojan-activity; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Reduh; sid:2011667; rev:4;)
 
-#by Deapesh Misra
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; uricontent:"/sd?";nocase; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; classtype: trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com; reference:url,doc.emergingthreats.net/2009880; sid:2009880; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; uricontent:"/sd?";nocase; pcre:"/\/sd\?s=\d+&f=\d/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com; sid:2002196; rev:1;)
+#by Christian Teutenberg
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Java/"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; classtype:trojan-activity; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Reduh; sid:2011668; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001041; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001031; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001032; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001033; rev:7;)
+#by Adam Ellison
+#Detects the old style weak and crackable windows auth in use. By default this should not be in
+#active use, but can be forced by hostile parties by a number of methods
+#
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Short_Lanman_Auth_Challenge; sid:2006417; rev:10;)
 
-#Matt Jonkman from spywarelp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Catchonlife.com Spyware"; flow: to_server,established; uricontent:"/nw3/r1.txt?"; content:"catchonlife"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Catchonlife.com; sid:2003358; rev:3;)
+#for a windows cmd shell opened on a local box
+#
+alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|C|3a 5c|WINDOWS|5c|"; distance:0; classtype:successful-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2008953; rev:8;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Clickspring.net; sid: 2001494; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Clickspring.net; sid: 2001500; rev:6;)
+#by Kevin Ross
+#
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; classtype:successful-recon-limited; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2009675; rev:7;)
 
-#by Matt Jonkman from spyware listeningpost data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; uricontent:"/stat.php?id="; nocase; uricontent:"&web_id="; nocase; content:"Host\:"; nocase; content:!"Referer\: "; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Cnzz.com; sid:2003607; rev:7;)
+#by Kevin Ross
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; depth:55; classtype:successful-recon-limited; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Windows_Shell; sid:2009676; rev:6;)
 
-#Submitted by Jason Haar, modified
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2000931; rev:7;)
+#By Erik Fichtner
+#
+alert tcp $HOME_NET any -> 87.98.168.239/32 $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; fast_pattern:only; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Zone-h_Defacement; sid:2001616; rev:11;)
 
-#Submitted by Jonathan Miner
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001050; rev:7;)
+#by Matt Jonkman
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2002034; rev:8;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001655; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001658; rev:5;)
-#from Listening Post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2002351; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2002352; rev:3;)
+#by Matt Jonkman
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2003071; rev:5;)
 
-#from spywarelp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Cursor DL"; flow: to_server,established; uricontent:"/czcontent/cursor"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2003307; rev:3;)
+#by Matt Jonkman
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,from_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2003149; rev:4;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; uricontent:"/Message/"; content:"User-Agent\: EI"; nocase; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Conduit_Connect; sid: 2003218; rev:3;)
+#by Matt Jonkman
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,from_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_etc-passwd; sid:2003150; rev:4;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install"; flow: to_server,established; uricontent:"/getexe/?wmid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003074; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; uricontent:"/getdata/getdata.php?wmid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003075; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; uricontent:"/fdial2.php?o="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003076; rev:3;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; nocase; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; classtype:attempted-user; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:url,www.securityfocus.com/bid/37331; reference:cve,2009-4324; reference:url,doc.emergingthreats.net/2010495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010495; rev:10;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ContextPlus.net; sid: 2001704; rev:6;)
+#by evilghost
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adobe 0day Shovelware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a|"; http_header; nocase; content:"/ppp/listdir.php?dir="; nocase; http_uri; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/Ui"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010496; rev:7;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contextpanel; sid: 2001456; rev:5;)
+#kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; file_data; content:"%FDF-"; depth:300; content:"/F(JavaScript|3a|"; nocase; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; sid:2010664; rev:8;)
 
-#by Jacob Kitchel
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; uricontent:"/alert/get_xml"; nocase; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CoolDeskAlert; sid:2003462; rev:3;)
+#kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:"offer-"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010665; rev:8;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Coolsearch; sid: 2001479; rev:7;)
+#kevin ross
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D27CDB6E-AE6D-11cf-96B8-444553540000/si"; classtype:attempted-user; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19710; reference:url,www.kb.cert.org/vuls/id/204889; reference:url,www.microsoft.com/technet/security/advisory/979267.mspx; reference:url,doc.emergingthreats.net/2010666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010666; rev:4;)
 
-#from Lance James and Secure Science www.securescience.net -- Thanks Lance!
-#too many falses...
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; uricontent:"/images/data.php?"; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002774; rev:3;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\:"; nocase; content:"google.vc"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002765; rev:4;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host\:"; nocase; content:"pcpeek-webcam-sex.com"; nocase; within:40; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002766; rev:4;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host\:"; nocase; content:"businessopportunityseeker.biz"; nocase; within:50; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002767; rev:4;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host\:"; nocase; content:"fesexy.net"; nocase; within:20; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002768; rev:4;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host\:"; nocase; content:"studiolacase.com"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002769; rev:5;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; uricontent:"/msits.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002770; rev:3;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; uricontent:"/msys.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002771; rev:3;)
+#by L0rd Ch0de1m0rt
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash 0Day Exploit Attempt"; flow:established,from_server; content:"CWS|09|"; content:"|BA D5 19 5D 86 67 D5 8E 7F BC D0 3C 6E D8 E2 17 16 E8 3A 9F CF 59 B8 7B F6|"; distance:16; classtype:misc-attack; reference:url,www.exploit-db.com/exploits/13787/; reference:url,doc.emergingthreats.net/2011672; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2011672; rev:4;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001453; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001454; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001455; rev:6;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcom Helper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; file_data; content:"clsid"; nocase; distance:0; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:!"offer-"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+(service-url|banner|noexec|OS|Lang|return-page|core-product|userid|itemid|_c[xy]|sec-param|secparam)/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.exploit-db.com/exploits/11172/; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2011675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2011675; rev:5;)
 
-#From Vernon Stark
-#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid: 2001683; rev:8;)
-alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2001684; rev:9;)
-alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2001685; rev:7;)
-alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)
+#by jaime blasco
+#seeing if these last, ua may change often
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAV AntivirusDoktor2009 User-Agent (768)"; flow:established,to_server; content:"User-Agent|3a| 768"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010682; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_AntivirusDoktor2009; sid:2010682; rev:4;)
 
-#deapesh misra
-alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009897; rev:2;)
+#by jaime blasco
+#seeing if these last, ua may change often
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAV AntivirusDoktor2009 User-Agent (657)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 657"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_AntivirusDoktor2009; sid:2010683; rev:4;)
 
-#from vienna
-alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type|3a| image/"; content:"|0d 0a|Rar!"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008754; rev:2;)
+#by David Wharton
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; file_data; content:"<script src=http|3a|//www.ads-t.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010032; rev:4;)
 
-# by: Deapesh Misra
-alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\: text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009909; rev:1;)
+#by David Wharton
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (bannert.ru)"; flow:established,from_server; file_data; content:"<script src=http|3a|//www.bannert.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010033; rev:4;)
 
-#by evilghost
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".txt"; nocase; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010500; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010501; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .bin file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".bin"; nocase; pcre:"/\.bin$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010502; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .jpg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".jpg"; nocase; pcre:"/\.jpg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010503; rev:2;)
+#by David Wharton
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (bannerdriven.ru)"; flow:established,from_server; file_data; content:"<script src=http|3a|//www.bannerdriven.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010034; rev:5;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CrazyWinnings.com; sid: 2001733; rev:5;)
+#by Daniel Sheperd
+#
+alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; classtype:attempted-dos; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind; sid:2009701; rev:2;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Default-Homepage-Network; sid: 2001222; rev:8;)
+#by Kevin Ross, temporary, based on a specific exploit if generated in hping
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco; sid:2010624; rev:2;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload)"; flow: established,to_server; uricontent:"/in/payload/payload.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2002816; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup)"; flow: established,to_server; uricontent:"/in/defaults/setup.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2002817; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup-alt)"; flow: established,to_server; uricontent:"/in/defaults/setup-alt.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2003472; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload-alt)"; flow: established,to_server; uricontent:"/in/payload/payload-alt.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2003473; rev:3;)
+#by Kevin Ross, temporary, based on a specific exploit if generated in hping
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; classtype:attempted-dos; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco; sid:2010817; rev:3;)
 
-#submitted by John Stewart
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_DeskTopTraffic; sid: 2001884; rev:3;)
+#Temporarily disabled until we get a fix for an FP problem
+#
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; classtype:attempted-dos; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco; sid:2010818; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; uricontent:"/GetAd/tekID"; nocase; uricontent:".ini"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Deskwizz.com; sid: 2003445; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; uricontent:"/ax/acdt-pid"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Deskwizz.com; sid: 2003444; rev:3;)
+#matt jonkman, idea from Jason Weir
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|DHL_"; nocase; pcre:"/filename=\x22DHL_(label_id|ID.document)\.Nr[0-9]{4,5}\.zip\x22/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010148; rev:9;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; uricontent:".php?appname="; nocase; uricontent:"&appseq="; nocase; uricontent:"&mac="; nocase; uricontent:"&type="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Direct-web.co.kr; sid:2007978; rev:2;)
+#matt jonkman, idea from Jason Weir
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED WU Malicious Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"WU_Details_"; within:50; pcre:"/filename\s*=\s*"WU_Details_.....\.zip/m"; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; reference:url,doc.emergingthreats.net/2010376; sid:2010376; rev:3;)
 
-#this is for the recent rash of .co.kr fake antispyware products we're seeing.
-#doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; uricontent:"/install_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006425; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:"/access_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006426; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/nchkmac.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006427; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; uricontent:"/open.php?sn="; nocase; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006428; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkblack.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006431; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; uricontent:"/ret.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&cname="; nocase; uricontent:"&cn="; nocase; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006432; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/api_result.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&PartID="; nocase; uricontent:"&mac="; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006433; rev:4;)
+#by jason weir and wolvee
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (1)"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"Facebook_Password"; within:50; pcre:"/filename\s*=\s*Facebook_Password_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010497; rev:3;)
 
-#more from the same folks
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/chkvs.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2007642; rev:4;)
+#by jason weir and wolvee
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Facebook"; pcre:"/filename=\x22Facebook_(Password|Support|Document)_[A-Z0-9]{4,7}\.zip\x22/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010498; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010498; rev:4;)
 
 #Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; uricontent:"/bundle/drsmartload.exe"; nocase; reference:url,dollarrevenue.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dollarrevenue.net; sid:2002967; rev:3;)
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED MySpace Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"MySpace"; within:50; pcre:"/filename\s*=\s*MySpace_document_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010629; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010629; rev:3;)
 
-#by Scot Melnick
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJAN_VB Microjoin"; flow:established,to_server; uricontent:"/bundle/loader.exe"; nocase; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dropper.Microjoin; sid:2003084; rev:3;)
+#Matt Jonkman
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"UPS"; within:50; pcre:"/filename\s*=\s*UPS_invoice_NR[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010644; rev:3;)
 
-#by Matt Jonkman, from Spyware Listening Post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; uricontent:"/reportaddon.cgi?"; nocase; uricontent:"report.cgi?"; nocase; uricontent:"user="; nocase; uricontent:"software="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dropspam.com; sid:2003440; rev:3;)
+#evilghost
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 2"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"UPS_INVOICE_NR"; within:50; pcre:"/filename=\x22UPS_INVOICE_NR\.[0-9]{4}-[0-9]{6}\.zip\x22/mi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/201150; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2011150; rev:3;)
 
-#matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001415; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001416; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001417; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001418; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001423; rev:7;)
+#evilghost
+#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 3"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_LABEL_NR."; nocase; within:50; pcre:"/filename=\x22UPS_LABEL_NR\.[A-Z]+_[0-9]{4}-\d+\.ZIP\x22/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011151; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2011151; rev:3;)
 
-#from spyware listening post hits
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Spyware Reporting (check url)"; flow: to_server,established; uricontent:"/go/check?build="; nocase; uricontent:"&source="; nocase; uricontent:"&merchants="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid: 2003504; rev:3;)
+#by many very smart people
+#This may be a high load sig. Take time and seriously consider
+#that your dns_servers var is set as narrowly as possible
+#disabling, remove in the not too distant future
+#
+#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008446; rev:9;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ESyndicate; sid: 2002009; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ESyndicate; sid: 2002010; rev:6;)
-
-#By Matt Jonkman, From spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002317; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002318; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002319; rev:3;)
+#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you
+#
+#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008470; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ebates_Moe_Money_Maker; sid: 2001038; rev:7;)
+#by Greg Martin at Econet
+#
+#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008447; rev:7;)
 
-#from spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; uricontent:"/iis2ebs.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Effectivebrands.com; sid:2003304; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; uricontent:"/iis2ucms.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Effectivebrands.com; sid:2003360; rev:3;)
+#by Greg Martin at Econet
+#
+#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008475; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; uricontent:"/bundle.php?aff="; nocase; reference:url,elitemediagroup.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Elitemediagroup.net; sid:2002966; rev:3;)
-#By Matt Jonkman, From spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; uricontent:"/getresults.aspx"; nocase; uricontent:"?aff="; nocase; uricontent:"&ip="; nocase; uricontent:"&keyword="; nocase; uricontent:"&source="; nocase; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Epilot.com; sid:2003414; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; uricontent:"/click.aspx?"; nocase; uricontent:"?xp="; nocase; content:"Host\: "; nocase; content:"epilot.com"; nocase; distance:0; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Epilot.com; sid:2003416; rev:3;)
+#by evilghost
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; content:"/Inst_58s6.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2010339; rev:3;)
 
-#matt Jonkman from Spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Evidencenuker.com Fake AV Updating"; flow:established,to_server; uricontent:"/products/evidencenuker/update.php?version="; nocase; reference:url,www.evidencenuker.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EvidenceNuker.com; sid:2003568; rev:3;)
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET"; nocase; http_method; content:"Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; http_header; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; classtype:trojan-activity; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fakeav_Setup_dl; reference:url,doc.emergingthreats.net/2010901; sid:2010901; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2000585; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2000582; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2001221; rev:6;)
+#2010-07-09 By Evilghost and Mike Cox
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"WinSec"; nocase; http_cookie; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2011178; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Featured-results; sid: 2001293; rev:9;)
+#by Eoin Miller
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; content:"/i1000000.gif"; http_uri; nocase; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011760; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2011760; rev:7;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?clickthrough&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003579; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendtracker)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendtracker&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003580; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendmedia&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003581; rev:3;)
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; http_header; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; classtype:trojan-activity; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fakeav_Setup_dl; sid:2010867; rev:6;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference:url,www.flashpoint.bm; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_FlashPoint; sid: 2000905; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference:url,www.flashpoint.bm; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_FlashPoint; sid: 2000936; rev:7;)
+#by mike cox
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; fast_pattern:only; classtype:successful-user; reference:url,doc.emergingthreats.net/2010463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FeeLCoMz; sid:2010463; rev:5;)
 
-#matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Flingstone; sid: 2001710; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Flingstone; sid: 2001705; rev:8;)
+#by kevin ross
+#needs removed somewhere around the end of may 2010
+#Modified Slightly to Improve Detection (Action seems to be able to come either side of Launch so removed it and left in launch and win and added in a content match for .exe
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt"; flow:to_client,established; file_data; content:"PDF-"; nocase; depth:300; content:"Launch"; distance:0; content:"Win"; distance:0; content:".exe"; nocase; distance:0; classtype:attempted-user; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,doc.emergingthreats.net/2010968; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/sigs/CURRENT_EVENTS/CURRENT_Foxit; sid:2010968; rev:7;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; uricontent:"/checkhttp.htm"; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2002840; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; uricontent:"/ping/?shortname="; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2002841; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; uricontent:"/ToastMessage/"; nocase; uricontent:"/Toast.asp?ysaid="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2003362; rev:3;)
+#by eoin miller and peers
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hostile domain, NeoSploit FakeAV google.analytics.com.*.info"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|0d 0a|Host|3a| google.analytics.com."; nocase; http_header; content:".info|0d 0a|"; http_header; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage#-#-topic=3781.0; reference:url,doc.emergingthreats.net/2010866; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Hostile_Google_Fake_Domain; sid:2010866; rev:4;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: f6a78be315d98ba8df4e72296ac8ec0c
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"shortname="; nocase; uricontent:"os="; nocase; uricontent:"v="; nocase; uricontent:"browsers="; nocase; uricontent:"readable="; nocase; classtype:trojan-activity; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid:2009705; rev:3;)
+#by mike cox
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; content:"/xml/p.php?id="; http_uri; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; classtype:trojan-activity; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ikee; sid:2010551; rev:8;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2000599; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001013; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001034; rev:16;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001043; rev:10;)
-#From Listening Post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002305; rev:6;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid:2002310; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002306; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002307; rev:5;)
+#by mareadmin
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; classtype:attempted-user; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java; sid:2009665; rev:5;)
 
-#by Shirkdog
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products StationaryChooser Spyware"; flow: to_server,established; uricontent:"/StationeryChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002858; rev:3;)
+#by kevin ross
+#A bit more basic detection for the Java Exploit
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; fast_pattern:only; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; classtype:attempted-user; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java; sid:2011053; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; uricontent:"/download/install_ie_sp2.jhtml?"; nocase; uricontent:"product="; nocase; uricontent:"utmCall="; nocase; uricontent:"bOrganic="; nocase; reference:url,www.myfuncards.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2003151; rev:3;)
-#Matt Jonkman from Spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Activity"; flow: to_server,established; uricontent:"/game-quit-count.jsp?ghgamecode="; reference:url,www.gamehouse.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gamehouse.com; sid: 2003348; rev:3;)
+#by mike cox
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http|3a| -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; classtype:web-application-attack; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java; sid:2011698; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000025; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000595; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000597; rev:7;)
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Java JAR PROPFIND via DAV possible alternative JVM exploit"; flow:established,to_server; content:"PROPFIND "; depth:9; nocase; content:".jar"; nocase; http_uri; content:"User-Agent|3a| Microsoft-WebDAV-MiniRedir"; nocase; http_header; content:!"|0d 0a|Referer|3a| "; nocase; http_header; classtype:bad-unknown; reference:url,blogs.zdnet.com/security/?p=6082; reference:url,doc.emergingthreats.net/2011009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java_Webdav; sid:2011009; rev:4;)
 
-#Matt Jonkman (depth added by bobkberg)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST "; depth:5; uricontent:"gs_trickler"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000596; rev:12;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; file_data; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; content:"launch"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; classtype:attempted-user; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java_Webdav; sid:2011010; rev:7;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/"; nocase; uricontent:"gtrg2ze"; nocase; classtype:policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid:2001306; rev:9;)
+#by kevin ross
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows Shortcut LNK File Automatic File Execution Attempt Via WebDAV"; flow:established,to_client; file_data; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; content:"<D|3A|locktype><D|3A|write/></D|3A|locktype>"; nocase; distance:0; content:"<D|3A|getcontenttype>shortcut</D|3A|getcontenttype>"; nocase; distance:0; classtype:attempted-user; reference:url,support.microsoft.com/kb/2286198; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Lnk; sid:2011239; rev:3;)
 
-#Matt Jonkman, from spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Spyware Posting Data"; flow: to_server,established; uricontent:"/gs_med"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid:2003575; rev:4;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; file_data; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; classtype:attempted-user; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Lnk; sid:2011270; rev:3;)
 
-#These are for common names of malcode files as seen in common places.
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; uricontent:".scr"; nocase; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Requests; sid: 2001850; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; uricontent:".exe"; nocase; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Requests; sid: 2002093; rev:5;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010798; rev:3;)
 
-#Submitted by Joseph Gama
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000514; rev:7;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000519; rev:8;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000520; rev:8;)
+#Modified to avoid the short content matches as these should be accurate enough. Revision number has been incremented and msg slightly modified and a few more references added (BID, Cisco & Microsoft)
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; file_data; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; classtype:attempted-user; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010799; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001656; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001657; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001659; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001660; rev:6;)
+#kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; file_data; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; distance:0; content:"DataURL"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; classtype:attempted-user; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; reference:url,doc.emergingthreats.net/2011007; sid:2011007; rev:9;)
 
-#by Jeremy at sudosecure
-# ref: 9ab0b5608af7c2c7fb3b631f27ee79c6
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?z="; nocase; uricontent:"|26|ch="; nocase; uricontent:"|26|dim="; nocase; uricontent:"|26|abr="; nocase; content:!"Referer\: "; nocase; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gooochi; sid:2008375; rev:3;)
+#kevin ross
+#
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET SQL MSSQL sp_replwritetovarbin - potential memory overwrite case 1"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; fast_pattern:only; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL; sid:2008909; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GrandStreetInteractive.com; sid: 2002012; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GrandStreetInteractive.com; sid: 2002013; rev:4;)
+#kevin ross
+#
+##alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DELETED MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; fast_pattern:only; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL; sid:2008910; rev:3;)
 
-#by Matt jonkman, guard-center.com crapware (if you're gonna pretend to scan a disk, you ought to at least access the disk a little)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"&advid="; uricontent:"&u="; uricontent:"&p="; content:"HTTP/1."; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Guard-Center.com; sid:2007744; rev:4;)
+#by David Wharton
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; distance:0; content:"omybro"; nocase; distance:0; content:"logo.gif"; nocase; distance:0; classtype:web-application-attack; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009491; rev:5;)
 
-#by matt jonkman
-#many malware packages use hex to obscure an IP
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"|0d 0a|Host\: 0x"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hex_Domain_Request; sid:2007951; rev:2;)
+#by anonymous #1
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009493; rev:3;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; uricontent:"?udata="; uricontent:"mission_supgrade\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Host-domain-lookup.com; sid:2007749; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; uricontent:"?udata="; uricontent:"program_started\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Host-domain-lookup.com; sid:2007750; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009598; rev:7;)
 
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009599; rev:7;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000920; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000921; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000922; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000923; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000924; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference:url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000929; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000925; rev:7;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009600; rev:7;)
 
-#from Shirkdog
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Subscription POST"; flow: to_server,established; uricontent:"/hotbar/"; nocase; uricontent:"Subscription.dll?"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2002820; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009601; rev:7;)
 
-#Matt Jonkman from spyware lp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Adopt/Zango"; flow: to_server,established; uricontent:"/adopt.jsp?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"cid="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2003364; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Keywords Download"; flow: to_server,established; uricontent:"/keywords/kyfb."; nocase; uricontent:"partner_id="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2003388; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009602; rev:7;)
 
-#matt jonkman, new version of hotbar apparently
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Install Report"; flow:established,to_server; uricontent:"/ciconfig.aspx?did="; uricontent:"&brandid="; uricontent:"&os="; uricontent:"&pkg_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2008917; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Activity Report"; flow:established,to_server; uricontent:"/trackedevent.aspx?eid="; uricontent:"&brand="; uricontent:"&os="; uricontent:"&mt="; uricontent:"&pkg_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2008918; rev:2;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009603; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009603; rev:7;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ICQ-Update.biz; sid: 2001490; rev:8;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009604; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009604; rev:7;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_IEHelp.net; sid:2002090; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_IEHelp.net; sid:2002096; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0;  pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009606; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2000927; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2000928; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2001395; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2001697; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009607; rev:5;)
 
-# Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Incredisearch.com; sid: 2001793; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Incredisearch.com; sid: 2001794; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009609; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009609; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Instafinder.com spyware"; flow: established,to_server; uricontent:"/404/update/instafi"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Instafinder.com; sid: 2003376; rev:3;)
+#by wolvee
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009610; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Fuel; sid: 2002015; rev:4;)
+#by wolvee
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009611; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Optimizer; sid: 2001308; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Optimizer; sid: 2001396; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Vulnerable Microsoft Video ActiveX CLSID access (43)"; flow:to_client,established; file_data; content:"clsid"; nocase; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009612; rev:4;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: b5880918affcbb25120b431a45b99429
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:" 200 OK|0d 0a|"; nocase; depth:64; content:"|0d 0a|Content-Type|3a| qvod_update|0d 0a|"; nocase; content:"|0d 0a 0d 0a 5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Istbar; sid:2009597; rev:2;)
+#by wolvee
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009613; rev:5;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Jmnad1.com; sid: 2002019; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Jmnad1.com; sid: 2002016; rev:8;)
+#by wolvee
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009614; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009614; rev:5;)
 
-#Submitted by Matt Jonkman
-alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2000900; rev:7;)
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2000901; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001015; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001679; rev:11;)
-alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001654; rev:9;)
+#by wolvee
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009615; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009615; rev:5;)
 
-#by Jamie Blasco
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; uricontent:"/files/sdfg.jar"; classtype: trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit; sid:2010438; rev:2;)
+#by wolvee
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009616; rev:5;)
 
-#Submitted by Jason Haar
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Keenvalue; sid: 2000932; rev:5;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009617; rev:5;)
 
-#Matt Jonkman
-# all sorts of junk at www.thespyguard.com, fake antispyware trojan
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; uricontent:"/soft/installers/spyguardf.php"; nocase; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003201; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; uricontent:"/soft/update/check_update.php"; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003202; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hitvirus Fake AV Install"; flow:established,to_server; uricontent:"/soft/installers/hitvirusf.php"; nocase; content:"get.hitvirus.com"; nocase; reference:url,www.kliksoftware.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003203; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; uricontent:"/soft/update/get.php"; nocase; uricontent:"pid="; nocase; uricontent:"mail="; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003204; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009618; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009618; rev:5;)
 
-#from spyware listeningpost data, by matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware"; flow:established,to_server; uricontent:"/iesocks?peer_id="; nocase; uricontent:"ver="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kmip.net; sid:2003298; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware 2"; flow:established,to_server; uricontent:"/sp?c=N&i="; nocase; uricontent:"&v="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kmip.net; sid:2003526; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009619; rev:5;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; uricontent:"/statics.php?maddr="; nocase; uricontent:"&ipaddr="; nocase; uricontent:"&ovt="; nocase; uricontent:"&verno="; nocase; uricontent:"&action="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kwsearchguide.com; sid:2008067; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; uricontent:"/alive.php?ovt=new_link"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kwsearchguide.com; sid:2008069; rev:2;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009620; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009621; rev:5;)
 
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009622; rev:5;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Look2me; sid: 2001499; rev:7;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009623; rev:5;)
 
-#by Pedro Marinho
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; uricontent:"?B="; uricontent:"&V="; uricontent:"&M="; uricontent:"&R="; uricontent:"&ID={"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Look2me; sid:2008474; rev:2;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009624; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MSUpdater.net; sid:2002094; rev:4;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009625; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009625; rev:5;)
 
-#by Matt Jonkman, from sunbelt blog
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:"Host\: www.MalwareAlarm.com"; nocase; classtype:trojan-activity; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Malwarealarm.com; sid:2003611; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; uricontent:"GET /madownload.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:"Host\: download.MalwareAlarm.com"; nocase; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Malwarealarm.com; sid:2003612; rev:4;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009626; rev:5;)
 
-#submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2000902; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001359; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001563; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001564; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore Spyware Uploading Data"; flow: to_server,established; uricontent:"/scripts/contentidpost.dll"; nocase; content:"OSS-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2003253; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009627; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009627; rev:5;)
 
-#Info from sgtocanada
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001586; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001587; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001588; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001589; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009628; rev:5;)
 
-#Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001409; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET MALWARE Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001410; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001411; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001413; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001414; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001419; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001420; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001421; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001422; rev:8;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009629; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009629; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8080] (msg:"ET MALWARE Matcash Trojan Related Spyware Code Download"; flow:established,to_server; content:"|0d 0a|User-Agent\: Windows 5.1 (2600)\; DMCP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Matcash.com; sid:2008759; rev:4;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009630; rev:5;)
 
-#Matt Jonkman from spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; uricontent:"/upd/check?version="; nocase; uricontent:"&localeId="; nocase; uricontent:"&affid="; nocase; uricontent:"&updatevalue="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MaxExp_TrinityAcquisitions.com; sid: 2003344; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009631; rev:5;)
 
-#Mark Tombaugh
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaPass; sid: 2001783; rev:5;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009632; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009632; rev:5;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaTickets; sid: 2001448; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaTickets; sid: 2001481; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009633; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009633; rev:5;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001503; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001508; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001509; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001507; rev:9;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009634; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Metarward.com; sid: 2001666; rev:4;)
-#From listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Metarward.com; sid: 2002309; rev:4;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009635; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009635; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001641; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001643; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001644; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001645; rev:5;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009636; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000583; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000584; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000594; rev:6;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009638; rev:5;)
 
-#by Matt Jonkman, from spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; uricontent:"/v70match.cgi?"; nocase; uricontent:"key1="; nocase; uricontent:"&key2="; nocase; uricontent:"&match="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com; sid:2003577; rev:3;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009639; rev:5;)
 
-#by Pedro Marinho
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Mirar Reporting (BAR)"; flow:to_server,established; uricontent:"download.cgi?BUILDNAME="; nocase; uricontent:"&AFFILIATE="; uricontent:"&ID="; uricontent:"&ERROR=0"; content:"|0d 0a|User-Agent\: BAR"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com; sid:2009234; rev:2;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009640; rev:5;)
 
-#Matt Jonkman 2/22/05
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My-Stats.com; sid: 2001747; rev:7;)
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009641; rev:5;)
 
+#by wolvee
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; classtype:web-application-attack; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009642; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; uricontent:"/images/mysearchbar/highlight"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MyGlobalSearch; sid:2003351; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; uricontent:"/images/mysearchbar/customize"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MyGlobalSearch; sid:2003352; rev:3;)
+#by Christopher Campesi
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; classtype:attempted-dos; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_SMB_DOS; sid:2009886; rev:4;)
 
-#by Akash Mahajan
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/CSetup_xp.cab"; classtype:trojan-activity; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySHC; sid:2007996; rev:2;)
+#by Chandan at Secpod
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; file_data; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; classtype:web-application-attack; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008407; rev:7;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearchNow.com Spyware"; flow: to_server,established; uricontent:"exe/dns.html"; nocase; content:"User-Agent\: TPSystem"; nocase; reference:url,www.mysearchnow.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySearchnow.com; sid: 2003221; rev:3;)
+#by Chandan at Secpod
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; file_data; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; classtype:web-application-attack; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008408; rev:7;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch.com Spyware Install"; flow:established,to_server; uricontent:".php?aff=mysidesearch&act=install"; content:"|0d 0a|User-Agent\: NSISDL/1.2 (Mozilla)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySideSearch.com; sid:2008915; rev:2;)
+#by Chandan at Secpod
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; file_data; content:"clsid"; nocase; distance:0; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; distance:0; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; classtype:web-application-attack; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008409; rev:5;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: 82bd65bc1c0b2b6d2bc599d1295a3579
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch Browser Optimizer"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: NSISDL/1.2 (Mozilla)|0d 0a|"; nocase; uricontent:".php?aff="; nocase; uricontent:"&act="; nocase; classtype:trojan-activity; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySideSearch.com; sid:2009524; rev:2;)
+#by Eoin Miller
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hidden iframe Served by nginx - Likely Hostile Code"; flow:established,to_client; content:"Server|3a| nginx"; nocase; http_header; content:"<iframe src="; nocase; content:"style=|22|visibility|3a|hidden|3b 22| width=|22|1|22| height=|22|1|22|></iframe>"; nocase; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011714; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011714; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference:url,www.2-spyware.com/parasite-my-search-bar.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Search_Bar; sid: 2001040; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms"; nocase; uricontent:"cfg.jsp?"; uricontent:"v="; nocase; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Search_Bar; sid:2002839; rev:4;)
+#by Eoin Miller
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?&&reader_version="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011715; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid: 2000600; rev:11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; uricontent:"/barcfg.jsp?"; nocase; content:"MyWebSearchWB"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid: 2002836; rev:6;)
+#2010-07-14 By Eoin Miller
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011223; rev:5;)
 
-#New, from spyware listening post hits
-# Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; uricontent:"/mySpeedbarCfg2.jsp"; nocase; content:"MyWebSearch"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003222; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; uricontent:"/jsp/cfg_redir2.jsp?id="; nocase; uricontent:"url=http"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003617; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; uricontent:"/script/bzDellHpData.js?"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003621; rev:5;)
+#2010-07-14 By Eoin Miller
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - bmb cookie"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Set-Cookie|3a| bmb="; nocase; http_header; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011222; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware updating"; flow:established,to_server; uricontent:"/download/NewDotNet/"; nocase; uricontent:"/upgrade.cab?"; nocase; uricontent:"upg="; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_New.net; sid:2003240; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware Checkin"; flow:established,to_server; uricontent:"/?version="; nocase; uricontent:"discard_tag="; nocase; uricontent:"source="; nocase; uricontent:"ptr="; nocase; uricontent:"br=NewDotNet"; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_New.net; sid:2003241; rev:4;)
+#2010-07-14 By Eoin Miller
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malvertising drive by kit collecting browser info"; flow:established,to_server; content:"/plugins.php?p=appName"; http_uri; nocase; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011224; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011224; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid: 2001538; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid: 2001539; rev:8;)
+#by eoin miller
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; content:"/x/?src="; http_uri; nocase; content:"&o=o"; http_uri; nocase; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011230; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011230; rev:4;)
 
-#by shirkdog from spyware lp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oemji.com Spyware Settings Update"; flow:established,to_server; uricontent:"/OemjiSearchPlus.ini"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid:2003467; rev:4;)
+#by eoin miller
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting redirect to drive by - .php?c=cust"; flow:established,to_server; content:".php?c=cust"; http_uri; nocase; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2011231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malvertising; sid:2011231; rev:5;)
 
-#by Reg Quinton
-alert tcp $HOME_NET !21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;)
+#by Jamie Blasco of OSSIM based on malwareurl.com data
+#174 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010050; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference:url,www.offeroptimizer.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Offer_Optimizer; sid: 2001341; rev:9;)
+#139 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010051; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010051; rev:3;)
 
-#by Will Metcalf
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET "; depth:4; content:"|0d0a|host\: upgrade.onestepsearch.net"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Onestepsearch; sid:2007855; rev:2;)
+#105 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.zip"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010052; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010052; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outblaze.com; sid: 2002044; rev:4;)
+#139 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer/InstallerClean.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010053; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010053; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; pcre:"/ctxad-\d+\.sig/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001495; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001496; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001497; rev:5;)
+#117
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010054; rev:4;)
 
-#Matt jonkman, from spywarelp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; uricontent:"/notify.php?"; nocase; uricontent:"pid="; nocase; uricontent:"&module="; nocase; uricontent:"&v="; nocase; uricontent:"&result="; nocase; uricontent:"&message="; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2003426; rev:3;)
+#107
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/pcdef.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010055; rev:3;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2001444; rev:9;)
+#93 ocurrences
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec/197.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010056; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2001459; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2002017; rev:6;)
+#91 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - installpv.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installpv.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010057; rev:3;)
 
-#by jeremy at sudosecure
-# ref: 48ba8bfecf840fc9a5f8ff2e225452a7
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"action="; nocase; uricontent:"addt="; nocase; uricontent:"pc|5F|id="; nocase; uricontent:"abbr="; nocase; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PCPrivacycleaner; sid:2008456; rev:3;)
+#70 ocurrences
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/softwarefortubeview.40009.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010058; rev:3;)
 
-#Matt Jonkman from Spyware Listening Post Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pacimedia; sid:2002083; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pacimedia; sid: 2002194; rev:6;)
+#56 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely Unknown Trojan Infostealer Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack.45000.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010059; rev:3;)
 
-#lovely fake av package at pcdoc.co.kr
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"|0d 0a|User-Agent\: PCDoc"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pcdoc.co.kr; sid:2007786; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"|0d 0a|User-Agent\: mypcdoc"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pcdoc.co.kr; sid:2007804; rev:2;)
+#51 ocurrences
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Soft_21.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010060; rev:3;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PeopleonPage; sid: 2001445; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PeopleonPage; sid: 2001446; rev:8;)
+#47 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Rogue Antivirus Download - InternetAntivirusPro.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/InternetAntivirusPro.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010061; rev:4;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: a9036ae5d9bb8e3c53d5e0126d448d1d
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?kind="; nocase; uricontent:"&pid="; nocase; uricontent:"&ver="; nocase; uricontent:"&addresses="; nocase; uricontent:"&hdmacid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PlusDream; sid:2009712; rev:2;)
+#30 ocurrences
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Rogue Antivirus Download - AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus.exe"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010062; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference:url,popuptraffic.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Popuptraffic.com_Reporting; sid: 2000577; rev:8;)
+#by evilghost 11/2/09
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; content:"ts/in.cgi?pepsi"; nocase; http_uri; pcre:"/ts\/in\.cgi\?pepsi\d+/Ui"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010222; rev:5;)
 
-#By Matt Jonkman from spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/privacyprotectorfreesetup.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid: 2003547; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; uricontent:"/?action="; nocase; uricontent:"&type="; nocase; uricontent:"&pc_id="; nocase; uricontent:"&abbr="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid: 2003548; rev:3;)
+#matt jonkman
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe"; flow:established,to_server; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[\w-]{0,3}plugin.\d+\.exe/Ui"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010440; rev:4;)
 
-#storageguardsoft.com also related, same installer, similar hosts
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; uricontent:"?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&v="; nocase; uricontent:"&abbr="; nocase; uricontent:"&platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&ac="; nocase; uricontent:"&appid="; nocase; uricontent:"&em="; nocase; uricontent:"&pcid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid:2007664; rev:3;)
+#by mike cox
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; content:"/ssp/files/annonce.pdf"; nocase; http_uri; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010444; sid:2010444; rev:3;)
 
-# Submitted by John Stewart, 2/23/2005
-alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Pynix.dll BHO Activity"; flow: established,to_server; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; reference:url,www.pynix.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pynix; sid: 2001748; rev:5;)
+#by mike cox
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; content:"/ssp/loadjavad.php"; nocase; http_uri; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010446; sid:2010446; rev:3;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST "; depth:5; content:"|0d 0a 0d 0a|REGISTER|7c|"; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d+/"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rabio; sid:2007820; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2)"; flow:established,to_server; content:"|0d 0a|User-Agent\: HTTP_Connect_"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rabio; sid:2007821; rev:2;)
+#by mike cox
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; content:"/download/IAInstall.exe"; nocase; http_uri; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:3;)
 
-#Updated by Jonathan Miner
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rcprograms; sid: 2000024; rev:7;)
+#by mike cox
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; content:"/globaldirectory/updatetool.exe"; nocase; http_uri; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010448; sid:2010448; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic"; flow: to_server,established; uricontent:"/rdxr020304.dat"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rdxrp.com; sid: 2001311; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic (Generic)"; flow: to_server,established; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rdxrp.com; sid: 2001312; rev:5;)
+#by mike cox
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; content:"/fkzd/2.htm"; nocase; http_uri; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010449; sid:2010449; rev:3;)
 
-#they run a lot of casino online games
-#matt jonkman, re f5e2b1706a3e0e6d34e70677a6e952a6
-alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Realtimegaming.com; sid:2008402; rev:3;)
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010452; rev:6;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; uricontent:"/softsell/visitor.cgi?"; nocase; uricontent:"affiliate="; nocase; reference:url,www.regnow.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Regnow.com; sid: 2001223; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Gamehouse.com Access"; flow: to_server,established; uricontent:"/affiliates/template.jsp?"; nocase; uricontent:"AID="; nocase; reference:url,www.gamehouse.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Regnow.com; sid: 2001224; rev:7;)
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010453; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Salongas Infection"; flow: to_server,established; uricontent:"/sp.htm?id="; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Salongas; sid: 2000601; rev:5;)
+#by evilghost
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/install.php"; http_uri; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010465; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Relevancy Spyware"; flow: established,to_server; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SearchRelevancy; sid: 2001696; rev:8;)
+#by mike cox
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (annonce.pdf)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ssp/files/annonce.pdf"; nocase; http_uri; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010532; sid:2010532; rev:3;)
 
-#By Matt Jonkman from Listening Post Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 1"; flow: to_server,established; uricontent:"/rd/Clk.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002296; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 2"; flow: to_server,established; uricontent:"/rd/feed/TextFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002297; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 3"; flow: to_server,established; uricontent:"/rd/feed/XMLFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002298; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 4"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002299; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 5"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeedSE.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002300; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 6"; flow: to_server,established; uricontent:"/rd/SearchResults.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002301; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 7"; flow: to_server,established; uricontent:"/rd/jsp/BidRank/index.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002302; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 8"; flow: to_server,established; uricontent:"/SFToolBar.html"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002303; rev:4;)
+#by mike cox
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (loadjavad.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ssp/loadjavad.php"; nocase; http_uri; pcre:"/\/ssp\/loadjavad\.php$/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010534; sid:2010534; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (toolbar)"; flow: to_server,established; uricontent:"/dkprogs/toolbar.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001473; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; uricontent:"/dkprogs/dktibs.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001474; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; uricontent:"/xpsystem/commands.ini"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001475; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; uricontent:"/dkprogs/systime.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001480; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; uricontent:"/dkprogs/mstasks3.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001483; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (d.exe)"; flow: to_server,established; uricontent:"/x30/d.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001484; rev:7;)
+#by waldo kitty
+#149 occurances
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Rogue Antivirus Download - Setup_2005.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Setup_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/download\x2FSetup_\d+\x2Eexe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/xxxxxxx; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010684; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001540; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".searchmiracle.com"; nocase; within: 35; distance: 1; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001532; rev:10;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001533; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; uricontent:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001534; rev:11;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001535; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (install)"; flow: to_server,established; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001744; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; uricontent:"/silent.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2002091; rev:5;)
+#by evilghost
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/wywg/"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; classtype:trojan-activity; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010716; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host\: content.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchscout; sid: 2001650; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host\: results.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchscout; sid: 2001653; rev:6;)
+#by Mike Cox
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Unknown Malware Download Attempt"; flow:established,to_server; content:"/installer/Installer"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010796; sid:2010796; rev:3;)
 
-#by Matt Jonkman, from spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; uricontent:"/SA/receive_data.php3?tcpc="; content:"security-updater.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Security-updater.com; sid:2003576; rev:3;)
-#matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; uricontent:".aspx?"; uricontent:"eid="; uricontent:"&pkg_ver="; uricontent:"&ver="; uricontent:"&brand="; uricontent:"&mt="; uricontent:"&partid="; uricontent:"&altdid="; uricontent:"&os="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Seekmo.com; sid:2008356; rev:2;)
+#by matt jonkman, re http://www.incidents.org/diary.html?storyid=4405
+#Mass File Injection attacks
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; fast_pattern:only; content:".js"; classtype:web-application-attack; reference:url,www.incidents.org/diary.html?storyid=4405; reference:url,doc.emergingthreats.net/bin/view/Main/2008206; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections; sid:2008206; rev:3;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; uricontent:".php?kind="; nocase; uricontent:"&ver="; nocase; uricontent:"&ver2="; nocase; uricontent:"&ver3="; nocase; uricontent:"&pid="; nocase; uricontent:"&supportid="; nocase; uricontent:"&uniq="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Servicepack.kr; sid:2008016; rev:2;)
+#by matt jonkman, re http://www.incidents.org/diary.html?storyid=4405
+#Mass File Injection attacks
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; fast_pattern:only; classtype:web-application-attack; reference:url,www.incidents.org/diary.html?storyid=4405; reference:url,doc.emergingthreats.net/bin/view/Main/2008207; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections; sid:2008207; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sexmaniack Install Tracking"; flow: to_server,established; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sexmaniak; sid: 2001460; rev:7;)
+#by evilghost
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET"; http_method; content:"nacha.org."; nocase; http_header; content:".exe"; nocase; http_uri; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Nacha; sid:2010342; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2000580; rev:7;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2000581; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Heartbeat"; flow: established,to_server; uricontent:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2001708; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Install"; flow: established,to_server; uricontent:"/arcadecash/setup"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2002037; rev:5;)
+#by evilghost
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; nocase; http_uri; content:"accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; http_header; content:"content-type|3a| application/x-java-archive|0d 0a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; content:"User-Agent|3a| Mozilla"; nocase; http_header; content:" Java/"; nocase; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Neosploit; sid:2010870; rev:9;)
 
-#matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopnav Spyware Install"; flow: to_server,established; uricontent:"/toolbarv3.cgi?UID="; nocase; uricontent:"&version="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopNav; sid: 2002000; rev:5;)
+#by evilghost
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; content:"/nte/"; nocase; http_uri; content:"accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; http_header; content:"content-type|3a| application/x-java-archive|0d 0a|"; nocase; http_header; content:!"Referer|3a| "; nocase; content:"User-Agent|3a| Mozilla"; nocase; http_header; content:" Java/"; nocase; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Neosploit; sid:2010871; rev:6;)
 
-#matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; uricontent:"/RewardInstall.php?mac=0"; uricontent:"&hdd="; uricontent:"&ver="; uricontent:"&ie="; uricontent:"&win="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Shopcenter.co.kr; sid:2008370; rev:2;)
+#by mike cox
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Related CSS Download"; flow:established,from_server; file_data; content:"#hello_nod32_guys_how_u_doing"; nocase; fast_pattern; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Nod32; sid:2011670; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet/sbinstservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2001016; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet/sblogservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2001017; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; uricontent:"/servlet/SbStartservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2002821; rev:5;)
+#by Nate Hausrath
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pinkslipbot Trojan Downloader"; flow:to_server,established; content:"/jl/jloader.pl?u="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010742; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Pinkslipbot; sid:2010742; rev:3;)
 
-#by RPG
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Simbar Spyware User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"SIMBAR="; within:150; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; threshold:type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Simbar; sid:2009005; rev:4;)
+#by Paul Dokas. Testing this out for a bit..., modified by kevin ross
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"Server|3a| nginx"; http_header; content:"PDF-"; nocase; within:300; threshold:type limit, seconds 60, count 10, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF; sid:2009076; rev:9;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install rh.exe"; flow: to_server,established; uricontent:"/install/RH/rh.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001505; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install"; flow: to_server,established; uricontent:"/install/SE/sed.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001516; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Update"; flow: to_server,established; uricontent:"/data/spv15.dat?v="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001513; rev:7;)
+##Jaime Blasco Alienvault VRT
+#PSYB0T related Activity
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Psyb0t Code Download"; flow:established,to_server; content:"/udhcpc.env"; nocase; http_uri; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009170; rev:3;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SnoopStick "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Snoopstick; sid:2007956; rev:2;)
+##Jaime Blasco Alienvault VRT
+#PSYB0T related Activity
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; nocase; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009171; rev:3;)
 
-#by William Salusky of the ISC (www.incidents.org)
-# Details and updates available here http://handlers.sans.org/wsalusky/rants/
-#Cleanup and updates by John Pritchard
+##Jaime Blasco Alienvault VRT
+#PSYB0T related Activity
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Psyb0t joining an IRC Channel"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"JOIN #mipsel"; fast_pattern:only; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009172; rev:3;)
 
-# If you have any socks proxies being abused in your environment... The following four rules are MONEY.
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003254; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003255; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; offset:0; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003256; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; offset:0; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003257; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003258; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003259; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003260; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003261; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003262; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003263; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003266; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003267; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003268; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003269; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003270; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003271; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003272; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003273; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003274; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003275; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003276; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003277; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003278; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; offset:0; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003279; rev:4;)
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003280; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003281; rev:4;)
-
-
-# The following rules open ended arbitrary Socks4 detection of ANY port being proxied. I run this only on occasion when looking for sketchy new activity. A better rule would do byte tests to exclude common target ports of 25, 80 etc...
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Inbound Connect Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01|"; offset:0; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003282; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Inbound Connect Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01|"; offset:0 ; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003283; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003283; rev:4;)
-
-# Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm.
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003284; rev:4;)
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; offset:0; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003285; rev:4;)
-
-# Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm.
-alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; offset:0; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003286; rev:5;)
-alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; offset:0; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003287; rev:4;)
-
-# I keep these mostly commented, while they are correct according to RFC for BIND actions, in practice I've found only FP's which I still need to dig through and see what's really going on there.
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; offset:0; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003288; rev:4;)
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; offset:0 ; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003289; rev:4;)
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; offset:0; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003290; rev:4;)
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; offset:0; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003291; rev:4;)
+#by Jeffrey Brown. re 308c6885573ce652bab37c739f52cb19
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS New Malware Information Post"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Pragma|3a| no-cache"; http_header; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; depth:18; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Rusibank.com; sid:2009092; rev:6;)
 
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"Referer|3a| "; nocase; http_header; content:"search?"; nocase; http_header; content:"q="; nocase; http_header; content:".com"; nocase; http_uri; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SEO_FakeAV; sid:2011066; rev:5;)
 
-#matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; uricontent:"/setup/setup.asp?id="; nocase; uricontent:"&pcid="; nocase; uricontent:"&ver="; nocase; uricontent:"&taday="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Soft-show.cn; sid:2008135; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; uricontent:"/setup/adClick.asp?Id="; nocase; uricontent:"&WebId="; nocase; uricontent:"&sDate="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Soft-show.cn; sid:2008148; rev:2;)
+#by Michael Sconzo of ERCOT
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"content-type|3a| "; nocase; http_header; content:" image/jpeg"; nocase; http_header; file_data; content:"<iframe"; nocase; pcre:"/content-type\:\s+image\/jpeg/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008313; rev:5;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; uricontent:".php?wmid="; nocase; uricontent:"&subid="; nocase; uricontent:"&pid="; nocase; uricontent:"&lid="; nocase; uricontent:"&hs="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softcashier; sid:2007861; rev:2;)
+#by Michael Sconzo of ERCOT
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"content-type|3a| "; nocase; http_header; content:" image/gif"; nocase; http_header; file_data; content:"<iframe"; nocase; pcre:"/content-type\:\s+image\/gif/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008314; rev:5;)
 
-#another fake antispyware package, by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"a1="; nocase; uricontent:"&a2="; nocase; uricontent:"&a3="; nocase; uricontent:"Windows%20version%20is"; nocase; uricontent:"&a4=Build"; nocase; uricontent:"&a5="; nocase; uricontent:"&table="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softspydelete.com; sid:2007842; rev:2;)
+#by Michael Sconzo of ERCOT
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"content-type|3a| "; nocase; http_header; content:" image/png"; nocase; http_header; file_data; content:"<iframe"; nocase; pcre:"/content-type\:\s+image\/png/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008315; rev:5;)
 
-#by matt Jonkman, from the sandnet
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; uricontent:"wmid="; nocase; uricontent:"&mid="; nocase; uricontent:"&lid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softwarereferral.com; sid:2007696; rev:3;)
+#Greg Martin
+#disabling, needs deleting in june or so 2010
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; nocase; http_uri; content:!"nextgen-gallery"; nocase; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent\: Godzilla"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid: 2001711; rev:6;)
+#by Jack Pepper
+#
+#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:!"nextgen-gallery"; nocase; within:15; content:"/ngg.js>"; nocase; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; sid:2008387; rev:6;)
 
-# The following rule assists in the identification of spam when SMTP 220
-# responses are seen egressing your network from unusual src ports.
-# You may want to consider tagging a number of following packets.
-#alert tcp $HOME_NET !21:587 -> any any (msg:"ET MALWARE Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; classtype: non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid: 2001815; rev:8;)
+#by Jack Pepper
+#
+#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; file_data; content:"<script src=http|3a|//"; nocase; content:"/b.js>"; nocase; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008388; rev:6;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; uricontent:"/devrandom/"; nocase; content:"dev"; nocase; content:!"User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002988; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Pulling IP List to Spam"; flow:established,to_server; uricontent:"/devrandom/access.php"; nocase; content:"User-Agent\: Mozilla/4.0  (compatible)"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002990; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe url"; flow:established,to_server; uricontent:"404.txt"; nocase; content:"404"; content:!"User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002989; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe"; flow:established,to_server; uricontent:"/traff/ppiigg.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002991; rev:4;)
+#by sp0ok3r
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; classtype:trojan-activity; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Skype; sid:2011680; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Specificclick.net Spyware Activity"; flow: to_server,established; uricontent:"/adopt.sm?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"&redir="; nocase; uricontent:"&nmv="; nocase; uricontent:"&nrsz="; nocase; uricontent:"&r="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Specificclick.net; sid: 2003450; rev:3;)
+#by Pedro Marinho, re 58816f781154bda381fdcb1e3fab7bdd
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET"; http_method; content:"/config/fgun_install_"; http_uri; content:"User-Agent|3a| NSI SDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008359; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent"; flow: to_server,established; uricontent:"/io/downloads"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Speedera; sid: 2001320; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent (Specific)"; flow: to_server,established; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Speedera; sid: 2001321; rev:5;)
+#different trojan, by marcus at unsober
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; http_method; content:"?mail="; http_uri; content:"subject=Keylogger";  fast_pattern:only; http_uri; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008368; rev:5;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Updating"; flow:to_server,established; uricontent:"/updates1/SKVersion.ini"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spy-not.com; sid:2003377; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; uricontent:"/updates1/SKSignatures.zip"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spy-not.com; sid:2003375; rev:3;)
+#Unknown handshake over SMTP discovered by Thierry Chich and reported on mail list. Added by Frank Knobbe 2008-09-17.
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Suspicious SMTP handshake outbound"; flow:established,to_server; content:"001 RUTHERE"; depth:11; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008562; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySherriff Spyware Activity"; flow: to_server,established; uricontent:"/progs_exe/jbsrak/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid: 2002984; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Jupitersatellites.biz Spyware Download"; flow: to_server,established; uricontent:"/traff/ppiigg.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid: 2002987; rev:4;)
+#Unknown handshake over SMTP discovered by Thierry Chich and reported on mail list. Added by Frank Knobbe 2008-09-17.
+#
+#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET TROJAN Suspicious SMTP handshake reply"; flow:established,from_server; content:"701 IMHERE"; depth:10; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008563; rev:3;)
 
-#by Mr Magic Pants
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySheriff Intial Phone Home"; flow:established,to_server; uricontent:"trial.php?rest="; nocase; uricontent:"&ver="; nocase; uricontent:"&a="; nocase; content:"trial.php"; nocase; content:!"User-Agent\: "; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid:2003251; rev:4;)
+#by Victor Julien
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008779; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008779; rev:5;)
 
-#by Matt Jonkman, from sandnet analysis
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; uricontent:"&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; uricontent:"?=______"; uricontent:"&vs="; nocase; uricontent:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpyShredder; sid:2007593; rev:3;)
+#by Victor Julien
+#
+##alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; fast_pattern:only; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008780; rev:5;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; uricontent:"/updates/database/dbver.php"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002804; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; uricontent:"/updates/database/dbver.dat"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002805; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; uricontent:"/download.php?sid="; nocase; content:"spyaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002806; rev:4;)
+#by David Wharton
+#
+alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp|3a|//"; nocase; distance:0; content:"<script "; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*<script\s*defer[^\n]*unescape/i"; classtype:misc-attack; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_WinHelp; sid:2011173; rev:8;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Activity"; flow: to_server,established; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spygalaxy.ws; sid: 2001489; rev:6;)
+#by evilghost
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Executable requested from /wp-content/languages"; flow:established,to_server; content:"/wp-content/languages/"; nocase; http_uri; content:".exe"; nocase; http_uri; classtype:trojan-activity; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Wordpress; sid:2011220; rev:3;)
 
-#from sandnet data
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylog.ru Related Spyware Checkin"; flow:established,to_server; uricontent:"/cnt?"; nocase; uricontent:"cid="; nocase; uricontent:"&p="; nocase; uricontent:"&rn="; nocase; uricontent:"&c="; nocase; uricontent:"&tl="; nocase; uricontent:"&ls="; nocase; uricontent:"&ln="; nocase; uricontent:"&t="; nocase; uricontent:"&j="; nocase; uricontent:"&wh="; nocase; uricontent:"&px="; nocase; uricontent:"&sl="; nocase; uricontent:"&r="; nocase; uricontent:"&fr="; nocase; uricontent:"&pg="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spylog; sid:2007649; rev:3;)
+#by jerry
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot update (av-i386-daily.zip)"; flow:established,to_server; content:"av_base/av-i386-daily.zip"; nocase; http_uri; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; sid:2010568; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Install"; flow: to_server,established; uricontent:"/SpySpotterInstall.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyspotter.com; sid: 2001536; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access"; flow: to_server,established; content:"Host\: "; depth:200; content:"spyspotter.com|0d 0a|"; nocase; distance:0; within:30; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyspotter.com; sid: 2001537; rev:12;)
+#by jerry
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot update (av_base/pay.php)"; flow:established,to_server; content:"av_base/pay.php"; nocase; http_uri; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; sid:2010566; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarelabs_VirtualBouncer; sid: 2000587; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs Application Install"; flow: to_server,established; uricontent:"/DistID/BaseInstalls/V"; nocase; content:"User-Agent\:"; nocase; content:"Wise"; within:120; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarelabs_VirtualBouncer; sid: 2001522; rev:8;)
+#by jerry
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot update (av_base/ip.php)"; flow:established,to_server; content:"av_base/ip.php"; nocase; http_uri; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; sid:2010567; rev:4;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarestormer; sid: 2001570; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer/Error Guard Activity"; flow: established,to_server; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarestormer; sid: 2001571; rev:7;)
+#by spooker
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/us01d/in.php"; nocase; http_uri; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; sid:2010729; rev:5;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; uricontent:"/updatestats/update"; nocase; uricontent:".xml"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001225; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; uricontent:"/updatestats/all_files"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001523; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Code Download"; flow: to_server,established; uricontent:"/updatestats/"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001524; rev:6;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; nocase; http_uri; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010231; rev:7;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.MemoryWatcher Download"; flow: to_server,established; uricontent:"/memorywatcher.exe"; reference:url,www.memorywatcher.com/eula.aspx; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001442; rev:9;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; nocase; http_uri; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010232; rev:7;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; uricontent:"/Bundling/SskUpdater"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001731; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; uricontent:"/requestimpression.aspx?ver="; nocase; content:"host="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001992; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (ipixel)"; flow: established,to_server; uricontent:"/ipixel.htm?cid="; nocase; content:"&pck_id="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001994; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; uricontent:"/rinfo.htm?"; nocase; uricontent:"host="; nocase; uricontent:"action="; nocase; uricontent:"client=SSK"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2002738; rev:3;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010233; rev:6;)
 
-#By Matt Jonkman from spywarelp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; uricontent:"/sacc/sacc.cfg.php?"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfaccuracy.com; sid:2003390; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; uricontent:"/sacc/popup.php"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfaccuracy.com; sid:2003391; rev:3;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010234; rev:6;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Install"; flow: to_server,established; uricontent:"/distribution/questmod-1.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfassistant.com; sid: 2001510; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Reporting"; flow: to_server,established; uricontent:"/sa/?a="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfassistant.com; sid: 2001514; rev:8;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; nocase; http_uri; content:"data="; nocase; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010235; rev:6;)
 
-#fake av, sig by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; uricontent:"?wmid="; nocase; uricontent:"&mid="; nocase; uricontent:"&lndid="; nocase; classtype:trojan-activity; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_System-defender.com; sid:2007856; rev:2;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; nocase; http_uri; content:"data="; nocase; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010236; rev:6;)
 
-#fake av package, sigs by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"|0d 0a|User-Agent\: gh20"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sysvenfak; sid:2007944; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; uricontent:"/victim.php?"; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sysvenfak; sid:2007945; rev:2;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4"; flow:established,to_server; content:"POST"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; content:"data="; nocase; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010237; rev:6;)
 
-#By Matt Jonkman from spyware lp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sytes.net Related Spyware Reporting"; flow:to_server,established; uricontent:"/Reporting/admin/upload.php"; nocase; content:"POST "; depth:5; nocase; content:"sytes.net"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sytes.net; sid:2003533; rev:4;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010238; rev:6;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; uricontent:"/request/req.cgi?gu="; nocase; uricontent:"&sid="; nocase; uricontent:"&kw="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TargetNetworks.net; sid: 2001997; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; uricontent:"/data/tn.dat?v="; nocase; uricontent:"&sid="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TargetNetworks.net; sid: 2002046; rev:6;)
+#by anon 4
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959; reference:url,doc.emergingthreats.net/2010239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010239; rev:7;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; uricontent:"/pa/glx.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001482; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; uricontent:"/pa/proxyrnd.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001485; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; uricontent:"/pr.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001486; rev:6;)
+#by matt jonkman
+#
+alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com; sid:2008531; rev:4;)
 
-#horrendous multi-install service at theinstalls.com
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; uricontent:"/plist.php?uid="; content:"|0d 0a|Host\: "; content:"theinstalls.com|0d 0a|"; within:23; classtype:trojan-activity; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Theinstalls.com; sid:2007788; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Trojan Download"; flow:established,to_server; uricontent:"/files/programs/"; content:"|0d 0a|Host\: "; content:"theinstalls.com|0d 0a|"; within:23; classtype:trojan-activity; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Theinstalls.com; sid:2007798; rev:2;)
+#Submitted by Cody Hatch
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; fast_pattern:only; classtype: attempted-dos; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS; sid:2000010; rev:12;)
 
+#Submitted by Cody Hatch
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; classtype: attempted-dos; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Catalyst_memory_leak_attack; sid:2000011; rev:8;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; uricontent:"/d4.fcgi?v="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001488; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (1)"; flow: to_server,established; uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001729; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (2)"; flow: to_server,established; uricontent:"/tb/loader2.ocx"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001734; rev:5;)
+#submitted by Cody Hatch
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco Router HTTP DoS"; flow: to_server,established; content:"/%%"; http_uri; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000006; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_Router_HTTP_DOS; sid:2000006; rev:12;)
 
-#by Russ McRee
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; uricontent:"/progs_traff/";nocase; reference:url,research.sunbelt-software.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Time2Pay; sid:2003034; rev:3;)
+#By Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002880; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP; sid:2002880; rev:8;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Install"; flow: established,to_server; uricontent:"/popengine/POP.CHM"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001886; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Activity (1)"; flow: established,to_server; uricontent:"/adverts/zergio/"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001887; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001887; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Activity (2)"; flow: established,to_server; content:"Host\: toolbarpartner.com"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001888; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001888; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Jeemp Trojan Download"; flow: established,to_server; uricontent:"/proxyrnd.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001889; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001889; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; uricontent:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001890; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (2)"; flow: established,to_server; uricontent:"/toolbar.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001892; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Reporting Install"; flow: established,to_server; uricontent:"/installed.php?wm=Zergio"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001893; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Partner Install"; flow: established,to_server; uricontent:"/inst.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001894; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; uricontent:"/mailz.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001895; rev:6;)
+#By Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; classtype:attempted-dos; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002881; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP; sid:2002881; rev:8;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000588; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000589; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000590; rev:7;)
+#By Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; classtype:attempted-dos; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002882; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP; sid:2002882; rev:7;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (1)"; flow: established,to_server; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001646; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (2)"; flow: established,to_server; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001647; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com User Confirming Membership"; flow: established,to_server; uricontent:"/cgi/account.plx?pid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001648; rev:5;)
+#By Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002926; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP; sid:2002926; rev:7;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopText_ILookup; sid: 2001334; rev:6;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopText_ILookup; sid: 2001335; rev:7;)
+#By Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; classtype:attempted-dos; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002927; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP; sid:2002927; rev:7;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topantispyware.com; sid: 2001520; rev:7;)
+#By Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; classtype:attempted-dos; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002928; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_SNMP; sid:2002928; rev:7;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Install"; flow: to_server,established; uricontent:"/activex/weirdontheweb_topc.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topconverting.com; sid: 2002004; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Reporting"; flow: to_server,established; uricontent:"/trigger.php?partner="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topconverting.com; sid: 2002040; rev:5;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/screens/frameset.html"; fast_pattern:only; nocase; http_uri; content:"Authorization|3A 20|Basic"; nocase; http_header; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msiH"; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN; sid:2010674; rev:9;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"|0d 0a|User-Agent\: RichCasino"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topgame-online.com; sid:2009831; rev:2;)
+#by Kevin Ross
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; fast_pattern:only; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_DB2; sid:2010755; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Add/Remove"; flow: to_server,established; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001313; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; uricontent:"/TbLinkConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001315; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Agent Updating (2)"; flow: to_server,established; uricontent:"/TbInstConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001316; rev:8;)
+#by Blake Hartstein of Demarc
+#Cleaned up depth/offset/distance - Daniel Clemens
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; classtype:attempted-dos; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_FreeBSD; sid:2002853; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; uricontent:"/install.php?"; nocase; uricontent:"afid="; nocase; uricontent:"&user_id="; content:"trafficsector"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Trafficsector; sid: 2002736; rev:3;)
+#by Blake Hartstein of Demarc
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; classtype:attempted-dos; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS00-038; sid:2002843; rev:6;)
 
-#by Matt Jonkman, data from the Spyware Listening Post
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Transponder Spyware Activity"; flow:established,to_server; uricontent:"/sendROIcookie.cfm?refer="; nocase; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Transponder; sid:2002320; rev:3;)
+#From Erik Fichtner:
+#hit on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and (added this so the sig wouldn't trigger missing reference:url, search errors)
+#below a sane value, eg 576 bytes. Adjust to taste.
+#true RFC791 min = 68, true end-to-end pmtu compatble min = 132.
+#real world might even go as high as 1100 bytes min. YMMV.
+#Updated to be 6 in the byte test as per Shane Castle
+#
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; classtype: denial-of-service; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS05-019; sid:2001882; rev:10;)
 
-#by Matt Jonkman, from Spyware LP Hits
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Travel Update Spyware"; flow:established,to_server; uricontent:"/abt?data="; nocase; pcre:"/\/abt\?data=\S{150}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Travel_Update; sid:2003297; rev:3;)
+#Submitted by Chris Norton
+#
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; classtype: attempted-dos; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MSSQL_DOS; sid:2001366; rev:10;)
 
-#by cjeremy
-# ref: 2aebe5fa5c98589bd0f169f9013715b8
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe?nva="; uricontent:"&aff="; uricontent:"&token="; content:"User-Agent\: Macrovision_DM"; nocase; classtype:policy-violation; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Trymedia; sid:2009091; rev:2;)
+#By Blake Hartstein at Demarc
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; classtype:attempted-dos; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MS_SMB; sid:2003236; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; uricontent:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_UCmore; sid: 2001995; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; uricontent:"/iis2ucms_getsponsorlinks.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_UCmore; sid: 2001998; rev:5;)
+#Erik Fichtner
+#
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; classtype: denial-of-service; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mail-From; sid:2001795; rev:9;)
 
-# Added by Frank Knobbe on 2006-03-12
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/robots.txt"; nocase; pcre:"/Cookie\:\ +x=[0-9]*\;\ +y=[0-9]+/i"; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2002856; rev:5;)
+#By Blake Hartstein at Demarc
+#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED HELO Non-Displayable Characters MailEnable Denial of Service"; flow:established,to_server; content:"HELO "; nocase; depth:60; pcre:"/^[^\n]*[\x00-\x08\x0e-\x1f]/R"; classtype:attempted-dos; reference:cve,2006-3277; reference:bugtraq,18630; reference:url,doc.emergingthreats.net/bin/view/Main/2002998; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_MailEnable; sid:2002998; rev:7;)
 
-# Added by Frank Knobbe on 2006-07-02
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; uricontent:"/jk/exp.wmf"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2002999; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PopupSh.ocx Access Attempt"; flow:to_server,established; uricontent:"/PopupSh.ocx"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2003000; rev:4;)
+#by Kevin Ross
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mysql; sid:2010491; rev:2;)
 
-#Matt Jonkman
-# This appears to be a controller the above trojan uses
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Web Bot Controller Accessed"; flow:to_server,established; uricontent:"/stata/index.php?tr=ok"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2003025; rev:3;)
+#temp disabled till we figure out all options
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mysql; sid:2010492; rev:3;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; uricontent:"/Pro/pro.php?mac="; nocase; uricontent:"&key="; nocase; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Upspider.com-Sidelinker.com; sid:2008157; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; uricontent:"/Pro/cnt.php?mac="; nocase; uricontent:"&key="; nocase; uricontent:"&pid="; nocase; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Upspider.com-Sidelinker.com; sid:2008158; rev:3;)
+#by kevin ross
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; classtype:attempted-dos; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Mysql; sid:2011761; rev:2;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; uricontent:"/bill_mod/bill_count.php?C_FLAG="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 5.5\; Windows 98)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_V-clean.com; sid:2008180; rev:2;)
+#by kevin ross, mike cox and joel esler
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; classtype:attempted-dos; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Netgear; sid:2010554; rev:3;)
 
-#by Matt Jonkman from Listening Post Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; uricontent:"/js.vppimage?key="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002350; rev:3;)
+#by Bart Roos
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type threshold, track by_src,count 100, seconds 60; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Nkiller2; sid:2009414; rev:3;)
 
-#by victor julien
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/version/controllerVersion"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Vaccine-program.co.kr; sid:2007995; rev:2;)
+#by matt jonkman and waldo kitty
+#
+alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; classtype:attempted-dos; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Ntp; sid:2010486; rev:2;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000306; rev:25;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET MALWARE Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000307; rev:23;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000308; rev:22;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; uricontent:"/mmdom.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2001525; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; reference:url,www.lurhq.com/iframeads.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2001526; rev:21;)
+#by matt jonkman and waldo kitty
+#
+alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; classtype:attempted-dos; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Ntp; sid:2010487; rev:2;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/scripts/get_cookie.php"; nocase; content:"|0d 0a 0d 0a|vomba="; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Vombanetwork.com; sid:2007870; rev:2;)
+#by matt jonkman and waldo kitty
+#
+alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; classtype:attempted-dos; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Ntp; sid:2010488; rev:2;)
 
-# Weatherbug - Dale Handy, PE
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug"; flow: to_server,established; uricontent:"WxAlertIsapi"; nocase; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2001235; rev:11;)
-#Submitted by Joel Esler
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"weatherbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2001267; rev:14;)
-#by M Shirk
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"wxbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2002364; rev:4;)
+#by matt jonkman and waldo kitty
+#
+alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; classtype:attempted-dos; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Ntp; sid:2010489; rev:2;)
 
-#from spywarelp data, by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Activity"; flow:established,to_server; uricontent:"/WeatherWindow/WeatherWindow"; nocase; uricontent:"?rnd="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003420; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003421; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003423; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Command Activity"; flow:established,to_server; uricontent:"/connection/connectionv"; nocase; uricontent:"?t="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003422; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Vista Gadget Activity"; flow:established,to_server; uricontent:"/Command/VistaGadget_v"; nocase; uricontent:"UserId="; nocase; uricontent:"&AppVersion="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003534; rev:3;)
-
-#by Matt Jonkman, from Spyware Listening Post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; uricontent:"/inst.php?"; nocase; uricontent:"d="; nocase; uricontent:"&cl="; nocase; uricontent:"&l="; nocase; uricontent:"&e="; nocase; uricontent:"&v=wbi_v"; nocase; uricontent:"&uid="; nocase; uricontent:"&time="; nocase; uricontent:"&win="; nocase; uricontent:"&un=0"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webbuying.net; sid:2003442; rev:3;)
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DOS SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; classtype:attempted-dos; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_SSL_Bomb_Attempt; sid:2000016; rev:7;)
 
-#Submitted by Matt Jonkman, Tweaks by Bob Grabowsky
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001317; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001677; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host\:"; nocase; content:"webhancer.com"; within:30; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001678; rev:7;)
+#by Kevin Ross
+#
+##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Slowloris Tool HTTP/Proxy Denial Of Service Attempt"; flow:to_server,established; content:"GET /"; depth:5; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| Trident/4.0"; http_header; threshold: type threshold, track by_src, count 100, seconds 30; classtype:attempted-dos; reference:url,isc.sans.org/diary.html?storyid=6601; reference:url,www.packetstormsecurity.com/filedesc/slowloris.pl.txt.html; reference:url,doc.emergingthreats.net/2009413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Slowliris; sid:2009413; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2001325; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; uricontent:"/1/rdgUS10.exe"; nocase; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2001517; rev:7;)
+#by kevin ross
+#
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; classtype:attempted-dos; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Solarwinds; sid:2011673; rev:3;)
 
-#Matt Jonkman, from spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Cab Download"; flow: to_server,established; uricontent:"/Dnl/T_"; nocase; pcre:"/\/\S+\.cab/Ui"; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2003242; rev:7;)
+#by kevin ross
+#
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; classtype:attempted-dos; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Solarwinds; sid:2011674; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; uricontent:"/notifier/config.ini?v="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weirdontheweb; sid: 2002036; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; uricontent:"/notifier/updates"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weirdontheweb; sid: 2002041; rev:5;)
+#by Kevin Ross
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; classtype:attempted-dos; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_VNC; sid:2011732; rev:2;)
 
 #Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000908; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000909; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=clock"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000910; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=weather"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000911; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000912; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000913; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000914; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000915; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=whenusave"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000916; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000917; rev:9;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000918; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000919; rev:9;)
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; fast_pattern:only; nocase; http_uri; classtype:attempted-admin; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Adobe_Acrobat_BO; sid:2001217; rev:12;)
 
-#Submitted by Chris Norton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2001443; rev:8;)
+#From Bdoctor
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow: from_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; classtype: attempted-admin; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Arkeia; sid:2001742; rev:8;)
 
-#Matt Jonkman from spywarelp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Application Version Check"; flow: to_server,established; uricontent:"/versions.html"; nocase; content:"whenu.com"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2003389; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; uricontent:"/DataChunksGZ?update="; nocase; uricontent:"ver="; nocase; uricontent:"svr="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2003404; rev:4;)
+#by Akash Mahajan
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50,}/R"; classtype:successful-dos; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; sid:2007937; rev:3;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001307; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001309; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001310; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001314; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001322; rev:6;)
+#by Blake Hartstein
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET EXPLOIT MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; classtype:web-application-attack; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2002791; rev:4;)
 
-#Submitted by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Install"; flow: to_server,established; uricontent:"/updatestats/AI_Euro.exe"; nocase; classtype: trojan-activity; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wildmedia; sid: 2002008; rev:8;)
+#Blake Hartstein of Demarc
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; classtype:attempted-admin; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003369; rev:3;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Install"; flow: established,to_server; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Windupdates.com; sid: 2001700; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Loggin Data"; flow: established,to_server; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Windupdates.com; sid: 2001701; rev:6;)
+#by Shirkdog
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003370; rev:3;)
 
-#By Matt Jonkman from spyware listening post data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/dispatcher.php?action="; nocase; content:"Host\: www.winfix"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winfixmaster.com; sid: 2003543; rev:3;)
+#by Shirkdog
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003378; rev:3;)
 
-#Matt jonkman from Spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winferno Registry Fix Spyware Download"; flow: to_server,established; uricontent:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wininferno.com; sid:2003353; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; uricontent:"/WebServices/DesktopManager/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wininferno.com; sid:2003356; rev:3;)
+#Also by Shirkdog
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; classtype:attempted-dos; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003379; rev:3;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; uricontent:"/newuser.php?saff="; pcre:"/\/newuser\.php.saff=(\d+|x.+)/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winquickupdates.com; sid:2008012; rev:3;)
+#another from Shirkdog
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003518; rev:3;)
 
-#by matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; uricontent:"/inst.php?wmid="; nocase; uricontent:"&p="; nocase; uricontent:"&l="; nocase; uricontent:"&s="; nocase; classtype:trojan-activity; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winreanimator.com; sid:2007865; rev:2;)
+#by shirkdog as well
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003750; rev:3;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware Activity"; flow: to_server,established; uricontent:"/?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&abbr="; nocase; uricontent:"platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&appid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winsoftware.com; sid: 2003471; rev:4;)
+#by shirkdog as well
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-dos; reference:url, www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003751; rev:3;)
 
-#matt jonkman, www.winxdefender.com fake AV package
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/checkupdate.php"; nocase; content:"|0d 0a|User-Agent\: Opera"; content:"Computer ID\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winxdefender.com; sid:2008197; rev:2;)
+#by David Maciejak
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; classtype:web-application-attack; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVSTrac; sid:2002697; rev:7;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; uricontent:"/fa/evil.html"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001461; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; uricontent:"/fa/?d=get"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001462; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http\://xpire.info/i.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001463; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001464; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; uricontent:"/dl/adv121.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001466; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; uricontent:"/dl/adv121/x.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001467; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; uricontent:"/fa/ied_s7m.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001468; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; uricontent:"/fa/x.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001469; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; uricontent:"/fa/xpl3.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001470; rev:8;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Exploit"; flow: to_server,established; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001471; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001472; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Code Download"; flow: to_server,established; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001491; rev:7;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001541; rev:10;)
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVS_HEAP_Overflow; sid:2000048; rev:5;)
 
-#Thanks James Ashton
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; uricontent:"/img1big.gif"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yesadvertising_Banking_Spyware; sid: 2000336; rev:10;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; uricontent:"/cgi-bin/yes.pl"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yesadvertising_Banking_Spyware; sid: 2000337; rev:10;)
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVS_HEAP_Overflow; sid:2000031; rev:5;)
 
-# by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_YourSiteBar; sid: 2001698; rev:6;)
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVS_HEAP_Overflow; sid:2000049; rev:5;)
 
-#Matt jonkman from Spyware LP Data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware Download"; flow: to_server,established; uricontent:"/data/yourscreen_data.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yourscreen.com; sid:2003354; rev:3;)
+#Submitted by Cody Hatch
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco %u IDS evasion"; flow: to_server,established; content:"%u002F"; http_uri; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_%u_Evasion; sid:2000012; rev:10;)
 
-#By Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; uricontent:"/protector.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yupsearch.com; sid: 2002092; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; uricontent:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yupsearch.com; sid: 2002098; rev:6;)
+#Submitted by Cody Hatch
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; classtype: attempted-dos; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Catalyst_SSH_Protocol_Mismatch; sid:2000007; rev:7;)
 
-#John Stewart
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware"; flow: to_server,established; uricontent:"/cl/clientdump"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2001947; rev:5;)
+#Submitted by Cody Hatch
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco IOS HTTP server DoS"; flow: to_server,established; content:"/TEST?/"; nocase; http_uri; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_HTTP_Server_DoS; sid:2000013; rev:11;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; uricontent:"/cl/clienthost"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2002735; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; uricontent:"/instreport"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2002737; rev:4;)
+#Submitted by Cody Hatch
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco IOS HTTP DoS"; flow: to_server,established; content:"/error?/"; http_uri; nocase; classtype: attempted-dos; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_IOS_HTTP_DOS; sid:2000009; rev:12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|uid="; distance:0; content:"&ref="; distance:0; content:"&clid="; distance:0; content:"&commode="; distance:0; content:"&cmd="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid:2008757; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".asp?rnd="; content:"|0d 0a 0d 0a|uid="; content:"&ref="; distance:0; content:"&clid="; distance:0; content:"&umode="; distance:0; content:"&cn="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid:2008798; rev:2;)
+#by Shirkdog
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; flowbits:set,cmars.jboss; classtype:attempted-admin; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Mars; sid:2003064; rev:6;)
 
-#Matt Jonkman, from spyware lp data
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Supergames.aavalue.com Spyware"; flow: established,to_server; uricontent:"/toolbars/msg/msg_serverside.xml"; nocase; content:"aavalue.com"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_aavalue.com; sid: 2003525; rev:3;)
+#by Shirkdog
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; classtype: attempted-admin; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Mars; sid:2003065; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE adservs.com Spyware"; flow: to_server,established; uricontent:"/binaries/relevance.dat"; content:"adservs"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_adservs.com; sid: 2002740; rev:3;)
+#Submitted by Cody Hatch
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; classtype: attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Telnet_Buffer_Overflow; sid:2000005; rev:7;)
 
-# Following are requests from adware served by iframebiz.biz
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - adv***.php"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/adv"; nocase; pcre:"/adv\d+\.php/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002707; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/sploit.anr"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002708; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/loaderadv"; nocase; pcre:"/loaderadv\d+\.jar/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002709; rev:6;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002710; rev:6;)
+#by Dale Peterson of digitalbond.com
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflowflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; classtype:attempted-user; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,doc.emergingthreats.net/bin/view/Main/2008542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Citect_SCADA; sid:2008542; rev:6;)
 
-#by Deapesh Misra
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; uricontent:"/qwertyuiyw12ertyuytre"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2008681; rev:4;)
+#by Blake Hartstein at Demarc
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; classtype:attempted-user; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Dlink; sid:2003039; rev:4;)
 
-#Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE K8l.info Spyware Activity"; flow: to_server,established; uricontent:"/media/servlet/view/dynamic/url/zone?"; nocase; uricontent:"zid="; nocase; uricontent:"&pid="; nocase; uricontent:"&DHWidth="; nocase; uricontent:"&DHHeight="; nocase; uricontent:"Ref="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_k8l.info; sid: 2003451; rev:3;)
+#By Mark Tombaugh
+#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; classtype:misc-attack; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Elm; sid:2002315; rev:7;)
 
-#From Chris Norton.
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Bankem; sid:2002695; rev:6;)
+#By Mark Tombaugh
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; classtype:misc-attack; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Elm; sid:2002316; rev:7;)
 
-# BugBear
-#Submitted by Brad Doctor, 3/8/2005, for BugBear@MM
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;)
-alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001765; rev:6;)
-alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001766; rev:6;)
+#by Akash Mahajan
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; classtype:successful-dos; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_ExtremeZ-IP; sid:2007876; rev:2;)
 
-# Submitted 2006-05-01 by Mark Tombaugh
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS Mytob.X [clam] SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002892; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Mytob.X [clam] SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002893; rev:4;)
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; classtype:trojan-activity; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002894; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002895; rev:4;)
+#by Akash Mahajan
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5,}/i"; classtype:successful-dos; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_ExtremeZ-IP; sid:2007877; rev:3;)
 
-#by Jonathan Gross. Experimental
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2003614; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET VIRUS WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2003615; rev:4;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP CWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"CWD"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010731; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010731; rev:2;)
 
-#by Dan Clemens of packetninjas.net
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008946; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2008946; rev:2;)
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2008947; rev:2;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP SITE command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"SITE"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010732; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010732; rev:2;)
 
-#matt jonkman/wes brown
-#falsing, needs adjustment
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flowbits:isset,ET.http.binary; flow:established,from_server; content:"VirtualProtect|00|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009080; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2009080; rev:3;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RMDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RMDIR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010733; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010733; rev:2;)
 
-#These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load.
-#more information at http://toorcon.org/2006/conference.html?id=29
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP MKDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"MKDIR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010734; rev:2;)
 
-#These are disabled by default until we learn more about them.
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP PWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"PWD"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010735; rev:2;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE CLET polymorphic payload"; classtype:shellcode-detect; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003117; rev:3;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RETR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RETR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010736; rev:2;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE Shikata Ga Nai polymorphic payload"; classtype:shellcode-detect; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003118; rev:3;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP NLST command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"NLST"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010737; rev:2;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE ADMutate polymorphic payload"; classtype:shellcode-detect; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003119; rev:3;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNTO command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNTO"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010738; rev:2;)
 
-# Sober
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNFR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNFR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010739; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010739; rev:2;)
 
-#Joe Stewart
-alert tcp $HOME_NET any -> any 25 (msg:"ET VIRUS Sober-style Ehlo - noalert"; flowbits:noalert; flow: established,to_server; dsize: <50; content:"Ehlo"; depth: 4; flowbits:set,SoberEhlo; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; reference:url,doc.emergingthreats.net/2001879; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Sober; sid: 2001879; rev:8;)
-alert tcp $HOME_NET any -> any 25 (msg:"ET VIRUS Sober-style Ehlo followed by SMTP AUTH - noalert"; flowbits:isset,SoberEhlo; flowbits:noalert; flow: established,to_server; content:"AUTH LOGIN"; depth: 10; flowbits:set,SoberAuth; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; reference:url,doc.emergingthreats.net/2001880; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Sober; sid: 2001880; rev:10;)
+#by Kevin Ross
+#disabling for falses...
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP STOR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"STOR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010740; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010740; rev:2;)
 
-# Sobig
+#by Anonymous Researchers(tm)
+#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
+#high load. use these if you need them!
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; sid:2003173; rev:7;)
 
-#Unknown submitter - Sobig E-F downloading goodies
-alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Sobig_Trojan_Download_Request; sid: 2001547; rev:7;)
+#by Anonymous Researchers(tm)
+#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
+#high load. use these if you need them!
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; sid:2003174; rev:8;)
 
-# Spy.Win32.Bancos Trojan
+#by rich rumble
+#GsecDump rule
+#
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; classtype:suspicious-filename-detect; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Gsecdump; sid:2010783; rev:3;)
 
-#Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Trojan-Spy.Win32.Bancos; sid: 2001726; rev:8;)
+#by Veerendra
+#10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack.
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_GuidFTP; sid:2008776; rev:3;)
 
-#from sandnet data
-#Disabling by default, hits on the VB api, not unique to this virus.
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bancos User-Agent Detected"; flow:established,to_server; content:"User-Agent\: vb wininet"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2004114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Trojan-Spy.Win32.Bancos; sid:2004114; rev:3;)
+#by Veerendra
+#10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack.
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; classtype:web-application-attack; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_GuidFTP; sid:2008777; rev:3;)
 
-#from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent\: p4r4z1t3v3"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Win32_AV-Killer; sid:2003638; rev:3;)
+#by Veerendra
+#10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack.
+#
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; content:"_SERVER[REMOTE_ADDR]="; nocase; http_uri; classtype: web-application-attack; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Guppy; sid:2002703; rev:5;)
 
-#by mr Magic Pants
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject\: \: ZOMBIE"; nocase; content:"X-Library\: Indy 9.00.10"; nocase; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Win32_Mailer; sid:2003041; rev:5;)
+#by David Maciejak
+#
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; http_method; nocase; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; classtype:web-application-attack; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Guppy; sid:2003332; rev:5;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: bbd144858cb1af3177a02900865d3134
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Possible AV KILLER- HTTP GET"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.0|0d 0a|"; within:200; uricontent:"SoftName="; nocase; uricontent:"SoftVersion="; nocase; uricontent:"UserIP="; nocase; uricontent:"Mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009487; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller; sid:2009487; rev:2;)
+#by mike cox
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; classtype:attempted-admin; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP; reference:cve,2007-2281; sid:2010546; rev:3;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: 01683fba555b59dac497a390e5afea47
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AVKiller with Backdoor checkin - HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|id="; nocase; content:"&ip_int="; nocase; content:"&os="; nocase; content:"&av="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller; sid:2009812; rev:2;)
+#by Blake Hartstein of Demarc
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; classtype:not-suspicious; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP-UX; sid:2002850; rev:4;)
 
-#by: Jeremy Conway at sudosecure.net
-# ref: cd3c73136661fea7e33ed41666953bc9
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET "; depth:4; uricontent:"nsi_install.php?"; nocase; uricontent:"aff_id="; nocase; uricontent:"&inst_result="; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Adrotater; sid:2009548; rev:3;)
+#by Blake Hartstein of Demarc
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP HP-UX LIST command without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:"LIST "; nocase; depth:5; classtype:attempted-recon; reference:cve,2005-3296; reference:bugtraq,15138; reference:url,doc.emergingthreats.net/bin/view/Main/2002851; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP-UX; sid:2002851; rev:5;)
 
-#by pedro marinho
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.END"; flow:to_server,established; content:"GET "; depth:4; uricontent:"idcomp="; uricontent:"&load1="; uricontent:"&hist=downloaded_user_"; uricontent:"MyValue="; pcre:"/MyValue=[a-f0-9]{32}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.end; sid:2010243; rev:2;)
+#by Blake Hartstein of Demarc
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; distance:0; within:20; classtype:attempted-user; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP-UX; sid:2002852; rev:5;)
 
-#by Steven Adair and Shadowserver.org
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Agent.kaq Chinese IE Password Stealer Encoded Traffic"; flow:to_server,established; content:"|20 20 20 20 20 00 03 00 06 00|"; depth:10; dsize:>100; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008169; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.kaq; sid:2008169; rev:4;)
+#By Frank Knobbe
+#disabled by default as the ftp preproc will catch this now
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; reference:cve,2009-3023; sid:2009828; rev:6;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alman Dropper Checkin"; flow:established,to_server; uricontent:"/info.asp?action=post&HD="; uricontent:"&OT="; uricontent:"&IV="; uricontent:"&AV="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman; sid:2009203; rev:2;)
+#By evilghost
+#disabled by default as the ftp preproc will catch this now
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; reference:cve,2009-3023; sid:2009860; rev:5;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alureon Checkin (Post)"; flow:established,to_server; content:"POST "; depth:5; content:" HTTP/1.0|0d 0a|"; distance:0; content:"|0d 0a 0d 0a|x="; distance:0; content:"0\;0\;0\;0"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alureon; sid:2008751; rev:2;)
+#Submitted by Joseph Gama
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Invalid_TCP_Fragments; sid:2001022; rev:5;)
 
-#by Matt Jonkman, re 53c26839720c9b3e9c6ed9f0d288d288
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN AntiAV Command and Control Channel (Gh0st)"; flow:established,to_server; dsize:<400; content:"Gh0st|80 01 00 00|"; depth:9; flowbits:set,ET.antiav1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009109; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AntiAV; sid:2009109; rev:2;)
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN AntiAV Command and Control Channel Response (Gh0st)"; flowbits:isset,ET.antiav1; flow:established,from_server; dsize:<30; content:"Gh0st|16 00 00 00|"; depth:9; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AntiAV; sid:2009110; rev:2;)
+#Submitted by Joseph Gama
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Invalid_TCP_Fragments; sid:2001023; rev:5;)
 
-#by matt jonkman, www.antispywareexpert.com
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; uricontent:"/?action="; uricontent:"&pc_id="; uricontent:"&abbr="; uricontent:"&a="; uricontent:"&l="; uricontent:"&addt"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antispywareexpert.com; sid:2008502; rev:2;)
+#Submitted by Joseph Gama
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Invalid_TCP_Fragments; sid:2001024; rev:5;)
 
-#matt jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywaremaster.com Fake AV Checkin"; flow:established,to_server; uricontent:"?action="; uricontent:"&pc_id="; uricontent:"&abbr="; uricontent:"&err="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antispywaremaster.com; sid:2008282; rev:2;)
+#by David Maciejak
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?";  http_uri; nocase;  pcre:"/(mail=\|.+\|)/"; classtype: web-application-attack; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Jammail; sid:2001990; rev:7;)
 
-#by Pedro Marinho
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008"; flow:established,to_server; uricontent:"nick="; nocase; uricontent:"&group="; nocase; uricontent: "&os="; content:"User-Agent\:|20|Mozilla|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antivirus2008; sid:2008483; rev:4;)
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LSASRV_DLL_RPC_Exploit_win2k; reference:cve,2003-0533; sid:2000046; rev:9;)
 
-#matt jonkman, re 0546aebf675cbb00f93c8040d394fa5f
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; uricontent:"?type=scanner&pin="; uricontent:"&lnd="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008511; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antivirus2008; sid:2008511; rev:2;)
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LSASRV_DLL_RPC_Exploit_winXP; reference:cve,2003-0533; sid:2000033; rev:9;)
 
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,0,relative,big,string,hex; classtype:misc-activity; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001190; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001190; rev:10;)
 
-#by dxp
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009031; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Exploit Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/bof.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009032; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Loader Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lds.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009036; rev:3;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; classtype: misc-activity; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001191; rev:10;)
 
-#by Daniel Clemens
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E 72 73 72 63|"; content:"|2E 61 73 70 61 63 6B|"; within: 50; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed; sid:2008575; rev:2;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,12,relative,big,string,hex; classtype: misc-activity; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001192; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001192; rev:10;)
 
-#by Joe Stewart of Secureworks
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2008221; rev:4;)
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2008222; rev:4;)
+#Submitted by Joseph Gama
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; classtype: misc-activity; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001195; rev:9;)
 
-#by dxp
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Form Submission to C&C"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/forum.php"; nocase; content:"Content-Type\: multipart/form-data\; boundary=1BEF0A57BE110FD467A"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2009054; rev:2;)
+#Submitted by Joe Stewart
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; classtype:attempted-admin; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001058; rev:8;)
 
-#by darren spruell
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Data Post to C&C"; flow:established,to_server; content:"POST "; depth:5; content:"name=|22|sid|22 0d 0a 0d 0a|"; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2010270; rev:2;)
+#by Blake Hartstein
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; nocase; http_uri; content:"SecurityMode=0"; nocase; classtype:attempted-admin; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Linksys; sid:2003072; rev:5;)
 
-#Matt Jonkman
-#re c6f326609487aaae451366728ec5cdd9
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:3;)
-alert tcp $EXTERNAL_NET 91 -> $HOME_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008676; rev:3;)
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008677; rev:3;)
+#by evilghost
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; content:"Authorization|3a| Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; http_header; content:"/debug.cgi"; http_uri; classtype:attempted-admin; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Linksys; sid:2011669; rev:5;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: 8a8f0708b05e0177acc4c57a09c70790 c42c3b5c832ac87221bb5ac88ed3feb7
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atya Dropper Possible Rootkit - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"b="; nocase; uricontent:"&idf="; nocase; uricontent:"&v="; nocase; uricontent:"&o="; nocase; reference:url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Atya; sid:2009450; rev:2;)
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; classtype:attempted-admin; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; reference:url,doc.emergingthreats.net/bin/view/Main/2001944; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-007; sid:2001944; rev:7;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET /get_r.php?fid="; depth:19; content:"&mac="; distance:0; within:15; content:"&version="; distance:0; content:"&uuid="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Autorun; sid:2008755; rev:2;)
+#Submitted by Chris Norton and Woofz
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; classtype: shellcode-detect; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001369; rev:7;)
 
-# by: Jeremy Conway at sudosecure.net
-# ref: 5af1c119ba1818099b4e4915f5bb15e9
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Win32.Autorun HTTP Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"cbID="; nocase; uricontent:"cbVer="; nocase; uricontent:"cbTit="; nocase; content:!"User-Agent\:"; nocase; content:"cbBody="; nocase; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Autorun; sid:2009516; rev:2;)
+#Submitted by Chris Norton and Woofz
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; classtype: shellcode-detect; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001363; rev:7;)
 
-#General BHOs and the like
+#Submitted by Chris Norton and Woofz
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; classtype: shellcode-detect; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001364; rev:7;)
 
-#by Jeremy at Sudosecure
-# ref: a2404de3a35a263d775ceb451173f304
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rouge Security Software Win32.BHO.egw"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; nocase; uricontent:"affid="; nocase; uricontent:"subid="; nocase; uricontent:"guid="; nocase; uricontent:"ver="; nocase; uricontent:"key="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BHO; sid:2008461; rev:2;)
+#From Erik Fichtner
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; classtype: misc-activity; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001374; rev:8;)
 
-#by Marcus at unsober
-# ref: 30b2cc13a86a15396a25e89c2860351d
-alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Cow; sid:2008465; rev:2;)
+#By Erik Fichtner
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-002_ANI_Stack_Overflow; sid:2001668; rev:6;)
 
-#by Pedro Marinho
-#re 4bde1bc2f7b6d4e11b1a570aaa52df57
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET "; depth:4; content:".php?"; nocase; content:"lversion="; nocase; content:"wversion=&eversion=&fid="; nocase; content:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2008667; rev:3;)
+#by Chris Ries of Vigilant Minds
+#
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET NETBIOS ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; classtype:attempted-admin; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-011; sid:2002064; rev:7;)
 
-#matt jonkman, re 1f8169a4694ec450a9f247469b7cbaf4
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST Packet 1"; flow:established,to_server; uricontent:"/add.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)|0d 0a|"; flowbits:noalert; flowbits:set,ET.bd1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2009240; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"|0d 0a 0d 0a|Admin="; depth:10; content:"&UserName="; distance:0; within:25; content:"&IsProxy="; distance:0; within:50; flowbits:isset,ET.bd1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2009241; rev:2;)
+#These should be dropped. Disabling till we hear if anyone wants to keep them
+#Erik Fichtner
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; fast_pattern:only; nocase; classtype: misc-activity; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001848; rev:8;)
 
-#Matt Jonkman, analysis from captured binary
-# Don't know a lot about this one. But the control session is apparently opened by a 00 00 00 00
-# Then the bot replies with a packet that begins with the date in form such as 20060622, and
-# among other things contains the host OS info.
-# Since this is a windos bot, we can assume the word windows will be in there.
-# Hopefully we can update these as more is learned. This is sorta crude, but should
-# be reliable to not false pos at least....
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Hupigon; sid:2002974; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002975; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Hupigon; sid:2002975; rev:3;)
+#These should be dropped. Disabling till we hear if anyone wants to keep them
+#Erik Fichtner
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; fast_pattern:only; nocase; classtype: misc-activity; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001849; rev:8;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key\:"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.VB.cfi; sid:2008005; rev:3;)
+#These should be dropped. Disabling till we hear if anyone wants to keep them
+#Erik Fichtner
+#
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; classtype: misc-activity; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001873; rev:9;)
 
-#by Scott Melnick
-alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"ET TROJAN Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.SkSocket; sid:2007585; rev:4;)
+#since this could be variable length chunks, we can't tell if we had
+#enough data to blow the server up or not, so we have to read the
+#chicken bones to see if it looks like exchange sh!t the bed or not.
+#
+#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; classtype: misc-activity; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001874; rev:8;)
 
-#by matt jonkman and victor julien
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007922; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007979; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007979; rev:5;)
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d+/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007980; rev:3;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007981; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007982; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007982; rev:3;)
+#Added 2005/08/14 as found on SANS ISC web site, by AlertLogic
+#Replaced by sigs below
+#
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002186; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002186; rev:4;)
 
-#matt jonkman, re 0ec9e59de960ec4a7d585a9ad7fc5719
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state\: 0 - zombie is ready for control"; depth:38; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2008507; rev:2;)
+#Added 2005/08/14 as found on SANS ISC web site, by AlertLogic
+#Replaced by sigs below
+#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET DELETED NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002187; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002187; rev:6;)
 
-#by Jeremy of sudosecure
-# ref: 82b9407337a991b52daffd0078d02e6a
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; uricontent:".php"; content:"POST "; depth:5; content:"|0D0A|Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; depth:150; nocase; content:"from="; nocase; content:"|26|FromMail="; nocase; content:"|26|destino="; nocase; content:"|26|assunto="; nocase; content:"|26|mensagem="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008331; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra; sid:2008331; rev:3;)
+#Added 2005/08/14 as found on SANS ISC web site, by AlertLogic
+#Replaced by sigs below
+#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DELETED NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002188; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002188; rev:6;)
 
-#Matt jonkman, re 0d3ff9cfa6b1d6a8aeabaf0d73e1fc5c
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|tipo=cli&cli="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra; sid:2009296; rev:2;)
+#All related to UPnP Exploit, MS05-039
+#Thanks to the Alert Logic team
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2002199; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002199; rev:4;)
 
-#by Matt Jonkman
-#Bandook 1.2
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; classtype:trojan-activity; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003549; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003550; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003551; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003552; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003553; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003554; rev:5;)
+#All related to UPnP Exploit, MS05-039
+#Thanks to the Alert Logic team
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2002200; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002200; rev:4;)
 
-#Bandook 1.35
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.35; flow:established,to_server; content:"|cf 8f|"; offset:0; depth:2; content:"|20 26 26 26|"; distance:50; classtype:trojan-activity; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003555; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003556; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003557; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003558; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003559; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003560; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003561; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003562; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003565; rev:5;)
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003563; rev:5;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003564; rev:5;)
-
-
-#by Joe Stewart
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003936; rev:4;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST|20|/"; depth:6; content:"|20|HTTP/1.1|0d0a|Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; within:150; content:"Content-Length|3a20|"; within:100; content:"|0d0a0d0a|"; within:12; content:"VISITED_URL"; within:100; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003937; rev:4;)
+#All related to UPnP Exploit, MS05-039
+#Thanks to the Alert Logic team
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; classtype:attempted-admin; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002201; rev:4;)
 
-#by Matt Jonkman
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.OT Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"User-Agent\: Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|praquem="; content:"&titulo="; content:"&texto="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007823; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007823; rev:2;)
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.OT Checkin (2 packet)"; flow:established,to_server; content:"praquem="; depth:8; content:"&titulo="; content:"&texto="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008491; rev:2;)
+#All related to UPnP Exploit, MS05-039
author	Michael Rash <mbr@cipherdyne.org>
	Fri, 24 Dec 2010 04:39:26 +0000 (04:39 +0000)
committer	Michael Rash <mbr@cipherdyne.org>
	Fri, 24 Dec 2010 04:39:26 +0000 (04:39 +0000)
ChangeLog		patch \| blob \| history
deps/snort_rules/emerging-all.rules		patch \| blob \| history