Login  Register

Guide - How to fix/resurrect a bricked Shield (and updated to 1.51SP1 w/Feb & March 2016 hotfixes & fw_upgrade 8.3.1)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
46 messages Options Options
Embed post
Permalink
123
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Guide - How to fix/resurrect a bricked Shield (and updated to 1.51SP1 w/Feb & March 2016 hotfixes & fw_upgrade 8.3.1)

harpss1ngh
61 posts
This post was updated on May 23, 2016; 1:36am.
Just to help anyone who may be stuck with a bricked Shield:

1) Get a good quality console cable, USB to Serial adapter (or USB to console cable) with an FTDI chipset (not the cheap ones on ebay with a ch340 chip or fake pl2303). They're only 12 quid off Amazon, I got this: Asunflower® Cisco USB Console Cable FTDI USB to RJ45 for Windows Vista MAC Linux RS-232 (6 feet)

These steps will allow you to make your Shield boot, to the point where you can SSH to it and (hopefully) SCP the files you are missing.

2) Plug the console cable into the Shield's console port, USB to your laptop or pc or whatever you have. Install the drivers for the USB driver. Download and open putty. Select Serial and enter the COM port (you can find it via device manager > Ports), then enter 115200 for speed.

3) Power on the Shield, carefully inspect the first few lines, if it says "OCTBOOT2BIN not found Error: Trying embedded failsafe..." follow this guide to upload the missing octboot2.bin bootloader file

4) Hit enter a few times to get a Octeon sff7000# prompt.

5) Enter: fatls mmc 1

6) This will list the files in the embedded MMC chip. For your shield to boot you need to see these files:

octboot2.bin
u-boot-octeon_rhino_itus7x.bin


7) If any are missing, then at this point you need to first download a copy. Luckily a few board members here have uploaded these to dropbox so they have it covered, you can find these here:

octboot2.bin
u-boot-octeon_rhino_itus7x.bin
md5sum of both the above files - You don't need this to fix the Shield to boot, this is just to verify the two files above aren't corrupted/modified if you know how to use it, otherwise don't

Thanks to @Hans for these.

If you are missing these, don't worry they will be restored during the upgrade process, just follow this guide!:
itusgatewayimage
itusrouterimage
itusbridgeimage
ItusrestoreImage

8) Once you have downloaded a copy to your machine, you will need to tftp the missing files in a specific order to make the Shield boot to the correct stage.

octboot2.bin is needed to boot to Stage 2 (however to get the Shield up and running temporarily to fix it, you don't need this as there is a failover bootloader which the Shield will boot to which gives you the "Octeon sff7000# prompt and it can be uploaded once you can get SSH running).

Once you are at stage 2 (Octeon sff7000# prompt), u-boot-octeon_rhino_itus7x.bin is then needed to get to Stage 3, at Stage 3 you will need one of the 3 itus images to boot the Shield up to the Linux OS (You will see Snoopy at this stage) at which point you can issue an update and make the Shield download all the missing files it needs to boot as normal when it is rebooted (it will get stuck again if you don't).

So from the Octeon sff7000# prompt:

##################################################################################################################################
### If you have a u-boot-octeon_rhino_itus7x.bin file in the MMC, then simply run these commands to get to Stage 3: ###

setenv octeon_stage3_bootloader u-boot-octeon_rhino_itus7x.bin
bootstage3

At which point the console should start booting to the next stage, and you will then get this prompt:

Octeon cust_private_rhino_itus7x(ram)#

This is stage 3!

##################################################################################################################################


##################################################################################################################################
### If you don't have a u-boot-octeon_rhino_itus7x.bin file in the MMC, then follow this to upload it to tftp: ###

Install tftpd32 and copy the  u-boot-octeon_rhino_itus7x.bin to the tftpd program files directory (C:\Program Files (x86)\tftpd32\

Install Teraterm SSH client and use that to transfer the file over the console instead of Putty (Close down Putty, open Teraterm on the COM port and speed 115200).

On the Shield, Run:
setenv loadaddr 0x400000
fatls mmc 1
loadb  

The shield will now wait to receive a binary file:
## Ready for binary (kermit) download to 0x00400000 at 115200 bps...
## Total Size      = 0x00115ef0 = 1138416 Bytes
## Start Addr      = 0x00400000


From Teraterm , click on → file →transfer → Kermit → select the file which is u-boot-octeon_rhino_itus7x.bin. The Shield should then have a copy of this file loaded into Memory (RAM, not in the eMMC)

Then on the shield:

Type:
go 0x400000


Now, follow the previous step to get to Stage 3 to this prompt:

Octeon cust_private_rhino_itus7x(ram)#

##################################################################################################################################


9)

Now, at this prompt: Octeon cust_private_rhino_itus7x(ram)#

Wire up your Shield as per the Router configuration (Look at the label underneath it)

Type in dhcp, your Shield should now pick up an IP Address from your router and display it on screen


setenv serverip x.x.x.x (set this to the ip address of your machine or the one where tftpd32 or Solarwinds Tftp is running on)

Now on the Shield, enter:

ping x.x.x.x (The ip of your TFTP server). If it pings, then move on to the next step, if not then you need to check your network configuration and fix the issue preventing the shield from reaching your tftp server.

Now type, tftp ItusrouterImage

The router image should upload to the Shield.

Now run this to boot it:
bootoctlinux $(loadaddr) numcores=2 mem=0


Bam! Snoopy should now pop up!



10) Now log into the Shield's IP Address (should be 10.10.10.10), username admin, password itus. Enable DropBear SSH on the LAN interface.

Download and install winscp. Connect to the Shield's IP in Winscp via SCP (username is root, password is itus by default)

On the Shield serial console (or via SSH):

mount /dev/mmcblk0p1 /overlay

In WinSCP, go to the overlay directory on the Shield.

From here, upload any files from WinSCP that are missing from the Shield out of these:

octboot2.bin
u-boot-octeon_rhino_itus7x.bin


Not these, these will be installed from the upgrade script in the next step!
itusgatewayimage
itusrouterimage
itusbridgeimage
ItusrestoreImage

Then unmount the /overlay partition:

umount /overlay


11) Now run the upgrade script:

On the Shield in SSH:

 
root@Itus# cd /tmp
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n10/Upgrade_RC_to_SP1.txt
root@Itus:/tmp# mv Upgrade_RC_to_SP1.txt Upgrade_RC_to_SP1.sh 
root@Itus:/tmp# sh Upgrade_RC_to_SP1.sh 

BAM! Your shield will now download the 1.51SP1 update and download the Itus Images.

Once done,

Install these two hotfixes:
root@Itus# cd /
root@Itus:/# wget http://itus.accessinnov.com/file/n8/hotfix_160210.tgz
root@Itus:/# tar -zxvf hotfix_160210.tgz
root@Itus:/# reboot -f

root@Itus# cd /
root@Itus:/# wget http://itus.accessinnov.com/file/n157/hotfix_160309-FINAL.tgz
root@Itus:/# tar -zxvf hotfix_160309-FINAL.tgz
root@Itus:/# reboot -f
Now install the latest fw_upgrade script (v8.3.1) which I have updated with the latest files downloaded from Github 23/05/2016:
root@Itus# cd /tmp
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n896/dnsmasq.dnsmasq
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n896/e2guardian.lua
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n931/fw_upgrade.fw_upgrade
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n931/index.htm
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n931/install_fw_upgrade_8_3_1.sh
root@Itus:/tmp# wget http://itus.accessinnov.com/file/n896/write-categories.sh

root@Itus:/tmp# mv dnsmasq.dnsmasq dnsmasq
root@Itus:/tmp# mv fw_upgrade.fw_upgrade fw_upgrade


Note: .version no longer needed due to an update commited to Github here: https://github.com/ItusShield/Shield-Master/commit/4a39bc4c823a3c4427fa901307ba2ffd6b24a96a
Thanks @Gnomad for the changes:
These are new files from Github, uploaded 23/05/2016, from fw_upgrade 8.3 to 8.3.1, the links above have been updated:

index.htm
fw_upgrade.fw_upgrade
install_fw_upgrade_8_3_1.sh

Then run:
 
root@Itus:/tmp# sh /tmp/install_fw_upgrade_8_3_1.sh

Then run fw_upgrade 3 times to make sure snort is properly updated. Wait a few minutes after each one to allow the services to come back up otherwise you may get issues:

root@Itus:/tmp# sh /sbin/fw_upgrade
(wait 2 mins)
root@Itus:/tmp# sh /sbin/fw_upgrade
(wait 2 mins)
root@Itus:/tmp# sh /sbin/fw_upgrade

root@Itus:/tmp# reboot -f

Done! Hope this helps someone!


Many thanks to @Hans, @Roadrunnere42, @user8446 and anyone else who I missed out for their posts which helped me put this guide together!


P.S: If you want to update the SSH banner, you can do this:
root@Itus# cd /etc
root@Itus:/etc#mv banner banner.bak
root@Itus:/etc# vi banner

Press i to insert and paste this :)

=========================================================================
|  ___ _____ _   _ ____    _   _      _                      _          |
| |_ _|_   _| | | / ___|  | \ | | ___| |___      _____  _ __| | _____   |
|  | |  | | | | | \___ \  |  \| |/ _ \ __\ \ /\ / / _ \| '__| |/ / __|  |
|  | |  | | | |_| |___) | | |\  |  __/ |_ \ V  V / (_) | |  |   <\__ \  |
| |___| |_|  \___/|____/  |_| \_|\___|\__| \_/\_/ \___/|_|  |_|\_\___/  |
|  ____  _   _ ___ _____ _     ____         ,-~~-.___.                  |
| / ___|| | | |_ _| ____| |   |  _ \       / |  '     \                 |
| \___ \| |_| || ||  _| | |   | | | |     (  )         0                |
|  ___) |  _  || || |___| |___| |_| |      \_/-, ,----'                 |
| |____/|_| |_|___|_____|_____|____/          ====           //         |
| v1.51 SP1 + Hotfix Mar 9 2016               /  \-'~;    /~~~(O)       |
|                                            /  __/~|   /       |       |
| Powered by OpenWrt                     -==(  _____| (_________|       |
| See itus.accessinnov.com for suport                                   |
=========================================================================

Then :wq to save and quit

DISCLAIMER: I'm just another user on this forum posting what worked for me. I don't provide any warranty for anything I contribute. I have tested this guide myself and it works for me.
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
Hi, harpss1ngh Thanks for the post with all the instructions and glad you got your Shield back up and here is Amazon link for the console cable for Amazon USA site as well, I'm going to order one can you do all updates via console cable?

http://www.amazon.com/Asunflower%C2%AE-Cisco-Console-Cable-Windows/dp/B00KMRVGFO/ref=sr_1_1?ie=UTF8&qid=1463592733&sr=8-1&keywords=Asunflower+Cisco+USB+Console+Cable+FTDI+USB+to+RJ45+for


Thanks
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

user8446
Administrator
288 posts
harpss1ngh,

Thanks for taking the time to put this together! Much appreciated!
Running the latest OpenWrt stable release
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
Hi,  user8446 can you do all updates via console cable?
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

user8446
Administrator
288 posts
You'll only need the console cable if you have a corrupted bootloader. All of the other updates you can do in Linux. However, for $10 I would recommend getting one for troubleshooting and diagnostic.
Running the latest OpenWrt stable release
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
Thanks user8446 also when you have time can you look at this  http://itus.accessinnov.com/Fw-upgrade-version-8-3-release-td896.html

I have not updated to v8.3 but I did notice in  with V8.0 I no longer shows any Memory, Network, or DHCP  information. CWS had the same problem
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
In reply to this post by harpss1ngh
Hi, harpss1ngh thanks  do we have to install the .version ?  http://itus.accessinnov.com/Fw-upgrade-version-8-3-release-td896.html I did not see it on your  instructions ?
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

harpss1ngh
61 posts
This post was updated on May 19, 2016; 8:50pm.
breda wrote
Hi, harpss1ngh thanks  do we have to install the .version ?  http://itus.accessinnov.com/Fw-upgrade-version-8-3-release-td896.html I did not see it on your  instructions ?
You don't need .version for the script itself. But on the home page you might notice a heading that says fw_version. The .Version file appears to be used by the fw_upgrade script to populate this with the fw_version you currently have (just so that you know which version you have, it doesn't affect anything). You could even create a .version with "mickey mouse" written instead and run the installer. It doesn't break anything. It would just put mickey mouse on your home page next to fw_version lol..
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

harpss1ngh
61 posts
In reply to this post by breda
breda wrote
Thanks user8446 also when you have time can you look at this  http://itus.accessinnov.com/Fw-upgrade-version-8-3-release-td896.html

I have not updated to v8.3 but I did notice in  with V8.0 I no longer shows any Memory, Network, or DHCP  information. CWS had the same problem
8.3 is the latest version of fw_upgrade and includes many improvements. Also I ran it 3 times and it went very well and I didn't experience the issues you did so why don't you try 8.3 instead?
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
In reply to this post by harpss1ngh
Hi, harpss1ngh I did look and it looks like it was missing .version  file that  Roadrunnere42 posted at  http://itus.accessinnov.com/Fw-upgrade-version-8-3-release-td896.html


Hi breda

for some reason the file .version did not upload or i forgot to upload, copy this file

.version



dnsmasq
e2guardian.lua
fw_upgrade
index.htm
update_fw_upgrade_8.3_files.sh
write-categories.sh
.version



Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

harpss1ngh
61 posts
breda wrote
Hi, harpss1ngh I did look and it looks like it was missing .version  file that  Roadrunnere42 posted at  http://itus.accessinnov.com/Fw-upgrade-version-8-3-release-td896.html


Hi breda

for some reason the file .version did not upload or i forgot to upload, copy this file

.version



dnsmasq
e2guardian.lua
fw_upgrade
index.htm
update_fw_upgrade_8.3_files.sh
write-categories.sh
.version
See my reply above for the reson why you don't really need the file, it's for developer version control, to keep track of changes. Nothing else.

But if you really want it anyway....
Grab .version from 8.2 and edit it and change 8.2 to 8.3. Then download the 8.3 files again and run update_fw_upgrade_8.3_files.sh if you really want it to display 8.3 under fw_version on the main page on your shield.



Do this:
Download the other 8.3 files and follow the procedure in the main guide, but don't sh the upgrade script, then:

cd /tmp
Wget http://itus.accessinnov.com/file/n814/.version
vi .version

Then change the 8.2 to 8.3

Then run:

Sh update_fw_upgrade_8.3_files.sh
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
Thanks harpss1ngh for all the help
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

harpss1ngh
61 posts
I've added .version to the guide now
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
Thanks
CWS
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

CWS
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

harpss1ngh
61 posts
This post was updated on May 21, 2016; 12:44pm.
Try my guide which fixes bricked shields.

Just delete everything off the mmc by mounting the mmc as /overlay as my guide says. Then scp to it. Go to the overlay folder and delete everything.

While you're there. Download the 2 bootloaders from my guide and scp them to the /overlay directory and also follow the rest of my guide and run the update to 1.51 which should pull down and add all the images and restore image too.

Then power off and power on while holding down the factory reset pin for 30secs. Then try the hotfixes and fw_upgrade


Or just delete everthing in /overlay and reboot:
Then tftp the bootloaders as per my guide then tftp the itusrouterimage and boot it up then get it to install the images from scratch. Then you'd at least have the same bootloader and images identical to mine and if it still causes issues it could then be a hardware issue.

Try it as a last resort before you get rid of it completely. It would be a complete hard reset. Could be you have a corrupted file. Doing it this way would blitz any files causing it.

Try it

CWS wrote
My shield will not accept hotfix 160210, seems to load, watching it load with console cable, but when finished and reboot, cannot access the shield. Internet works but cannot access the gui or with WINscp. Hot fix 160309 works if I load it first after factory reset. But then if I try fw_upgrade 7 or higher it goes into a loop and never stops until power recycle. Guess I must have corrupted something with all the factory resets.
Shield was nice while it lasted, will now retire it.

Running in router mode, bridge mode never worked on my shield.

Thanks for all the good help and support guys.
CWS
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

CWS
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
In reply to this post by harpss1ngh
Hi, harpss1ngh I can't seem to update to V8.3 hee is my SSH  and WinSCP

root@Shield:~# cd /tmp
root@Shield:/tmp# mv dnsmasq.dnsmasq dnsmasq
root@Shield:/tmp# mv update_fw_upgrade_8.sh update_fw_upgrade_8.3_files.sh
root@Shield:/tmp# sh  ./update_fw_upgrade_8.3_files.sh
mv: can't rename 'fw_upgrade': No such file or directory
mv: can't rename '.version': No such file or directory
finished copying
root@Shield:/tmp# sh  /update_fw_upgrade_8.3_files.sh
sh: can't open '/update_fw_upgrade_8.3_files.sh'
root@Shield:/tmp# sh  ./update_fw_upgrade_8.3_files.sh
mv: can't rename 'dnsmasq': No such file or directory
mv: can't rename 'write-categories.sh': No such file or directory
mv: can't rename 'e2guardian.lua': No such file or directory
mv: can't rename 'fw_upgrade': No such file or directory
mv: can't rename 'index.htm': No such file or directory
mv: can't rename '.version': No such file or directory
finished copying
root@Shield:/tmp#






Thanks





Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
In reply to this post by harpss1ngh
Hi, harpss1ngh I tried it via SSH  not sure it I did it rightr?


-
root@Shield:~# cd /tmp
root@Shield:/tmp# mv dnsmasq.dnsmasq dnsmasq
root@Shield:/tmp# mv update_fw_upgrade_8.sh update_fw_upgrade_8.3_files.sh
root@Shield:/tmp# sh  ./update_fw_upgrade_8.3_files.sh
mv: can't rename 'fw_upgrade': No such file or directory
mv: can't rename '.version': No such file or directory
finished copying
root@Shield:/tmp# sh  /update_fw_upgrade_8.3_files.sh
sh: can't open '/update_fw_upgrade_8.3_files.sh'
root@Shield:/tmp# sh  ./update_fw_upgrade_8.3_files.sh
mv: can't rename 'dnsmasq': No such file or directory
mv: can't rename 'write-categories.sh': No such file or directory
mv: can't rename 'e2guardian.lua': No such file or directory
mv: can't rename 'fw_upgrade': No such file or directory
mv: can't rename 'index.htm': No such file or directory
mv: can't rename '.version': No such file or directory
finished copying
root@Shield:/tmp# wget http://itus.accessinnov.com/file/n896/dnsmasq.dnsmasq
wget http://itus.accessinnov.com/file/n896/e2guardian.lua
wget http://itus.accessinnov.com/file/n896/fw_upgrade.fw_upgrade
wget http://itus.accessinnov.com/file/n896/index.htm
wget http://itus.accessinnov.com/file/n896/update_fw_upgrade_8.sh
--2016-05-22 12:24:02--  http://itus.accessinnov.com/file/n896/dnsmasq.dnsmasq
Resolving itus.accessinnov.com... wget http://itus.accessinnov.com/file/n896/write-categories.sh104.28.28.59, 104.28.29.59
Connecting to itus.accessinnov.com|104.28.28.59|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified
Saving to: 'dnsmasq.dnsmasq'

dnsmasq.dnsmasq         [ <=>               ]  15.31K  --.-KB/s   in 0.02s  

2016-05-22 12:24:03 (615 KB/s) - 'dnsmasq.dnsmasq' saved [15673]

root@Shield:/tmp# wget http://itus.accessinnov.com/file/n896/e2guardian.lua
--2016-05-22 12:24:03--  http://itus.accessinnov.com/file/n896/e2guardian.lua
Resolving itus.accessinnov.com... 104.28.29.59, 104.28.28.59
Connecting to itus.accessinnov.com|104.28.29.59|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified
Saving to: 'e2guardian.lua'

e2guardian.lua          [ <=>               ]   6.75K  --.-KB/s   in 0.001s

2016-05-22 12:24:03 (4.50 MB/s) - 'e2guardian.lua' saved [6908]

root@Shield:/tmp# wget http://itus.accessinnov.com/file/n896/fw_upgrade.fw_up
grade
--2016-05-22 12:24:03--  http://itus.accessinnov.com/file/n896/fw_upgrade.fw_upgrade
Resolving itus.accessinnov.com... 104.28.28.59, 104.28.29.59
Connecting to itus.accessinnov.com|104.28.28.59|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified
Saving to: 'fw_upgrade.fw_upgrade.1'

fw_upgrade.fw_upgra     [ <=>               ]  22.02K  --.-KB/s   in 0.04s  

2016-05-22 12:24:03 (545 KB/s) - 'fw_upgrade.fw_upgrade.1' saved [22550]

root@Shield:/tmp# wget http://itus.accessinnov.com/file/n896/index.htm
--2016-05-22 12:24:03--  http://itus.accessinnov.com/file/n896/index.htm
Resolving itus.accessinnov.com... 104.28.29.59, 104.28.28.59
Connecting to itus.accessinnov.com|104.28.29.59|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.htm'

index.htm               [ <=>               ]  22.37K  --.-KB/s   in 0.04s  

h  /tmp/update_fw_upgrade_8.3_files.sh






































- .version [Modified] 1/251 0%
Reply | Threaded
Open this post in threaded view
| More
Print post
Permalink

Re: Guide - How to fix/resurrect a bricked Shield (and update to 1.51SP1 w/hotfixes & fw_upgrade)

breda
344 posts
In reply to this post by harpss1ngh
Hi, harpss1ngh I did the install without WinSCP here is my SSH and System logs

system_logs.txt



Thanks for the help




,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:2;)
drop tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:2;)
drop tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; content:"name["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; content:"n%61me%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; content:"n%61m%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; content:"n%61m%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; content:"n%61%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; content:"n%61%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; content:"n%61%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; content:"n%61%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; content:"%6eame["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; content:"%6eame%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; content:"%6eam%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; content:"name%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; content:"%6eam%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; content:"%6ea%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; content:"%6ea%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; content:"%6ea%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; content:"%6ea%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; content:"%6e%61me["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; content:"%6e%61me%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; content:"%6e%61m%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; content:"%6e%61m%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; content:"%6e%61%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; content:"nam%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; content:"%6e%61%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; content:"%6e%61%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; content:"%6e%61%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; content:"nam%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; content:"na%6de["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; content:"na%6de%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; content:"na%6d%65["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; content:"na%6d%65%5b"; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; content:"n%61me["; nocase; fast_pattern:only; http_client_body; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/Pi"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; content:"User-Agent|3a| DominoHunter"; nocase; http_header; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER  ColdFusion path disclosure to get the absolute path"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/administrator/analyzer/index.cfm"; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; content:"curl "; fast_pattern:only; http_header; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/Hm"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern:only; http_header; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern:only; http_header; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion adminapi access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/adminapi"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016183; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/administrator"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion componentutils access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/componentutils"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016182; rev:4;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; content:"|25|28|25|29|25|20|25|7b|25|20"; http_client_body; fast_pattern:only; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/Pi"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; content:"()|25|20|25|7b"; http_client_body; fast_pattern:only; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/Pi"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:4;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; content:"|28 29 20 7b|"; http_client_body; fast_pattern:only; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/P"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"; flow:established,to_server; content:"|28 29 20 7b|"; fast_pattern:only; content:"|28 29 20 7b|"; http_cookie; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019239; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; content:"|20 28 29 20 7b|"; fast_pattern:only; pcre:"/^[^\s]+\s+[^\s]+\s+\x28\x29\x20\x7b[^\r\n]*?\r?$/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; content:"|28 29 20 7b|"; http_header; fast_pattern:only; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; content:"|28 29 20 7b|"; http_uri; fast_pattern:only; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/U"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:3;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; content:"18446744073709551615"; http_header; fast_pattern:only; content:"Range|3a|"; nocase; http_header; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/Hmi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER UA WordPress, probable DDOS-Attack"; flow:established,to_server; content:"User-Agent|3A| Wordpress/"; http_header; reference:url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html; reference:url,pastebin.com/NP64hTQr; classtype:bad-unknown; sid:2017528; rev:2;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; content:"lwp-download "; fast_pattern:only; http_header; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/Hm"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; content:"wget "; fast_pattern:only; http_header; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/Hm"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:1;)
drop tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Custom Contact Forms DB Upload/Download Auth Bypass"; flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-post.php?"; http_uri; nocase; content:"page=ccf_settings"; http_uri; nocase; fast_pattern; pcre:"/ccf_(?:(?:clear|merge)_im|ex)port/Pi"; reference:url,blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html; classtype:web-application-attack; sid:2018975; rev:4;)
drop tcp any any -> any $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:1;)
drop tcp any any -> any $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear N150 passwordrecovered.cgi attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/passwordrecovered.cgi?id="; nocase; http_uri; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; classtype:attempted-admin; sid:2017969; rev:1;)
drop tcp any any -> any $HTTP_PORTS (msg:"ET TROJAN Generic - Mozilla 4.0 EXE Request"; flow:established,to_server; urilen:7<>14; content:".exe"; http_uri; content:"|3a| Mozilla/4.0|0D 0A|Host|3a|"; http_header; classtype:trojan-activity; sid:2020705; rev:3;)
drop tcp any any -> any $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; content:"user=CRACKER"; http_client_body; classtype:trojan-activity; sid:2020097; rev:1;)
drop tcp any any -> any $SSH_PORTS (msg:"ET TROJAN Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8;)
drop tcp any any -> any 1024: (msg:"ET TROJAN Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1;)
drop tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; reference:url,doc.emergingthreats.net/2007802; classtype:network-scan; sid:2007802; rev:6;)
drop tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2;)
drop tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3;)
drop tcp any any -> any 445 (msg:"ET TROJAN Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern:15,20; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:1;)
drop tcp any any -> any 488 (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:1;)
drop tcp any any -> any 488 (msg:"ET TROJAN US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:1;)
drop tcp any any -> any 5000 (msg:"ET CURRENT_EVENTS Hikvision DVR  attempted Synology Recon Scan"; flow:established,to_server; content:"GET /webman/info.cgi?host= HTTP/1."; depth:34; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:1;)
drop tcp any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; content:"User-Agent|3a 20|BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831|0d 0a|"; http_header; fast_pattern; nocase; flowbits:set,ET.Rbrute.incoming; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:3;)
drop tcp any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; content:"POST"; nocase; content:"/submit_net_debug.cgi"; nocase; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:1;)
drop tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern:only; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:4;)
drop tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern:only; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:3;)
drop tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern:only; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:2;)
drop tcp any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AB6172ED-8105-4996-9D2A-597B5F827501}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021231; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{0710880F-3A55-4A2D-AA67-1123384FD859}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021232; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{6C51A4DB-E3DE-4FEB-86A4-32F7F8E73B99}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021233; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021234; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021235; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|A|00|F|00|F|00|C|00|4|00|F|00|0|00|-|00|E|00|0|00|4|00|B|00|-|00|4|00|C|00|7|00|C|00|-|00|B|00|4|00|0|00|A|00|-|00|B|00|4|00|5|00|D|00|E|00|9|00|7|00|1|00|E|00|8|00|1|00|E|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021236; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|B|00|6|00|1|00|7|00|2|00|E|00|D|00|-|00|8|00|1|00|0|00|5|00|-|00|4|00|9|00|9|00|6|00|-|00|9|00|D|00|2|00|A|00|-|00|5|00|9|00|7|00|B|00|5|00|F|00|8|00|2|00|7|00|5|00|0|00|1|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021237; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|0|00|7|00|1|00|0|00|8|00|8|00|0|00|F|00|-|00|3|00|A|00|5|00|5|00|-|00|4|00|A|00|2|00|D|00|-|00|A|00|A|00|6|00|7|00|-|00|1|00|1|00|2|00|3|00|3|00|8|00|4|00|F|00|D|00|8|00|5|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021238; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|C|00|5|00|1|00|A|00|4|00|D|00|B|00|-|00|E|00|3|00|D|00|E|00|-|00|4|00|F|00|E|00|B|00|-|00|8|00|6|00|A|00|4|00|-|00|3|00|2|00|F|00|7|00|F|00|8|00|E|00|7|00|3|00|B|00|9|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021239; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|7|00|F|00|9|00|B|00|C|00|F|00|C|00|0|00|-|00|B|00|3|00|6|00|B|00|-|00|4|00|5|00|E|00|C|00|-|00|B|00|3|00|7|00|7|00|-|00|D|00|8|00|8|00|5|00|9|00|7|00|B|00|E|00|5|00|D|00|7|00|8|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021240; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|5|00|7|00|D|00|2|00|D|00|E|00|9|00|2|00|-|00|C|00|E|00|1|00|7|00|-|00|4|00|A|00|5|00|7|00|-|00|B|00|F|00|D|00|7|00|-|00|C|00|D|00|3|00|C|00|6|00|E|00|9|00|6|00|5|00|C|00|6|00|A|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021241; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1;)
drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1;)
drop tcp any any -> any [25,587] (msg:"ET CURRENT_EVENTS Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern:only; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:1;)
drop tcp any any -> any [8000,8080] (msg:"ET TROJAN US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1;)
drop udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:3;)
drop udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:7;)
drop udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2;)
drop udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2;)
drop udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3;)
drop udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:6;)
drop udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern:only; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:1;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase;  threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:4;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - IP - 161.69.13.44"; content:"|00 01 00 01|"; content:"|00 04 A1 45 0D 2C|"; distance:4; within:6; content:!"|07|sa-live|03|com"; classtype:trojan-activity; sid:2019508; rev:3;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2;)
drop udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3;)
drop udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:3;)
drop udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6;)
drop udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; fast_pattern:only; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2;)
drop udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET SCAN External to Internal UPnP Request udp port 1900"; content:"MSEARCH * HTTP/1.1"; depth:18; content:"MAN|3a| ssdp|3a|"; nocase; distance:0; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008094; classtype:attempted-recon; sid:2008094; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:2;)
drop udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; distance:0; within:50; content:"|FE FF|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2;)
drop udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2;)
drop udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10;  reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:5;)
drop udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:10;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)"; content:"From|3A 20 22|sipsscuser|22|"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; sid:2012204; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 0a|User-Agent|3A| sundayddr"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; sid:2011766; rev:5;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008640; classtype:attempted-recon; sid:2008640; rev:5;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:2;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious Scan"; content:"From|3A 20 22|sipvicious"; threshold: type limit, count 1, seconds 10, track by_src; reference:url,blog.sipvicious.org; reference:url,doc.emergingthreats.net/2008578; classtype:attempted-recon; sid:2008578; rev:6;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; fast_pattern:only; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|sivus-discovery@vopsecurity.org"; offset:110; fast_pattern; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008610; classtype:attempted-recon; sid:2008610; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:6;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:"<sip|3a|smap@"; offset:80; depth:40; reference:url,www.go2linux.org/smap-find-voip-enabled-devices; reference:url,doc.emergingthreats.net/2008526; classtype:attempted-recon; sid:2008526; rev:7;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; fast_pattern:only; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; fast_pattern:only; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008568; classtype:attempted-recon; sid:2008568; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip|3a|thisisthecanary@"; content:"sip|3a|test@"; offset:30; depth:70; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008641; classtype:attempted-recon; sid:2008641; rev:4;)
drop udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1;)
drop udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; fast_pattern:only; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:12;)
drop udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6;)
drop udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7;)
drop udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6;)
drop udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; classtype:attempted-recon; sid:2008414; rev:3;)
drop udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern:only; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:2;)
drop udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; classtype:attempted-admin; sid:2000380; rev:9;)
drop udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; classtype:attempted-admin; sid:2000377; rev:7;)
drop udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; reference:url,doc.emergingthreats.net/2008465; classtype:trojan-activity; sid:2008465; rev:2;)
drop udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P CnC"; dsize:72; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013739; rev:8;)
drop udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:8;)
drop udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2;)
drop udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2;)
drop udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4;)
drop udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM  Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1;)
drop udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2;)
drop udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2;)
drop udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET TROJAN Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:trojan-activity; sid:2008531; rev:5;)
drop udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021791; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; reference:url,doc.emergingthreats.net/2007957; classtype:trojan-activity; sid:2007957; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Domain .bit"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|bit|00|"; fast_pattern; nocase; distance:0; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; fast_pattern:only; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:3;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Malware Domain twothousands.cm Likely Infection"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|twothousands|02|cm"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012176; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|minerva|05|cdmon|03|org"; fast_pattern; distance:0; nocase; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.threatexpert.com/report.aspx?md5=13e43c44681ba9acb8fd42217bd3dbd2; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; classtype:misc-activity; sid:2013187; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Cryptowall .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3wzn5p2yiumh7akj"; fast_pattern; distance:0; nocase; reference:url,www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names; classtype:trojan-activity; sid:2022048; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Gauss Domain *.secuurity.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|secuurity|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:3;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Known Reveton Domain whatwillber.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|whatwillber|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015875; rev:5;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|networksecurityx|05|hopto|03|org|00|"; fast_pattern; nocase; distance:0; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:3;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0C|kundenpflege|06|menrad|02|de|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019857; rev:3;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|doosan-job|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019851; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|teledyne-jobs|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019866; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|northropgrumman|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019865; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|downloadsservers|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019852; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gesunddurchsjahr|02|de|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019871; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|drivercenterupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019853; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|microsoftmiddleast|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019859; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleproductupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019855; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleproductupdate|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019856; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|windowsserverupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019869; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|windowsupdateserver|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019870; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|easyresumecreatorpro|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019854; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|windowscentralupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019867; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|microsoftserverupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019861; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|microsoftupdateserver|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|windowssecurityupdate|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019868; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|16|microsoftonlineupdates|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019860; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|16|microsoftwindowsupdate|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019864; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|microsoftactiveservices|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019858; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Operation Cleaver Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|19|microsoftwindowsresources|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019863; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|cvredirect|04|ddns|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019790; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|cvredirect|05|no-ip|03|net|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019788; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy1-1-1|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy2-2-2|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy3-3-3|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy4-4-4|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|proxy5-5-5|03|i2p"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for a known malware domain (regicsgf.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|regicsgf|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:4;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query for a known malware domain (sektori.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|sektori|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014573; rev:5;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015741; rev:4;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015736; rev:4;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crpt"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9]{12}/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:1;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; pcre:"/[a-z0-9]{33,}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014363; rev:7;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Possible Hiloti DNS Checkin Message explorer_exe"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2012781; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET TROJAN Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:trojan-activity; sid:2013547; rev:2;)
drop udp $HOME_NET any -> $EXTERNAL_NET 6990:6999 (msg:"ET TROJAN Medbod UDP Phone Home Packet"; dsize:<50; content:"ebex"; nocase; pcre:"/\x06\x00?$/"; reference:url,doc.emergingthreats.net/2007949; classtype:trojan-activity; sid:2007949; rev:6;)
drop udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET TROJAN TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|provide|08|yourtrap|03|com|00|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|GroUndHog|08|MapSnode|03|CoM"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021444; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|s-p-o-o-f-e-d|07|h-o-s-t|04|name"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gggatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|xxxatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|aa|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|gh|07|dsaj2a1|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|navert0p|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns3|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns4|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|v8|05|f1122|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021443; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wangzongfacai|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5;)
drop udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .cn Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:misc-activity; sid:2012327; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; classtype:misc-activity; sid:2012328; rev:5;)
drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|aps|06|kemoge|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (apartmentsin-paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|apartmentsin-paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021650; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (au-skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|au-skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021670; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (beautifuldaisies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|beautifuldaisies|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021683; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (brazil-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|brazil-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021662; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (bungee4you-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021661; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (bungee4you-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021671; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (bungeejumping-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021663; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (bungeejumping-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021673; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (china-flowershop.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|china-flowershop|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021681; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (circlesofourlives-ir.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|circlesofourlives-ir|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021675; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (clickflowers-hk.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|clickflowers-hk|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021676; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (crazy-jump.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|crazy-jump|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021656; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (crazyjump-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|crazyjump-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021666; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (cropcirclestours.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cropcirclestours|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021677; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (dive-extreme.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dive-extreme|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021657; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (divextreme-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021655; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (divextreme-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021665; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (euro-rafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euro-rafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021646; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (eurorafting-tr.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|eurorafting-tr|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021652; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (franceholidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|franceholidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021649; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (groupbungee-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021664; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (groupbungee-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021674; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (groupdive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|groupdive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021669; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (groupdive.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021659; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (holidayapartments-Paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|holidayapartments-Paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021647; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (holidayapartments4you.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|holidayapartments4you|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021645; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (hongkong-bouquets.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|hongkong-bouquets|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021682; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (ir-cool.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ir-cool|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021679; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (irelancropcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|irelancropcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021678; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (magnificentcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|magnificentcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021680; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (paris-holidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|paris-holidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021648; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (raftingholiday.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|raftingholiday|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021651; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (raftingtours-turkey.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|raftingtours-turkey|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021654; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021684; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021660; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (stuntjumps.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|stuntjumps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021667; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (tandemskydive-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021658; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (tandemskydive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021668; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (turkeyextremerafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|turkeyextremerafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021653; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT Cheshire Cat DNS Lookup (uruguay-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|uruguay-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:trojan-activity; sid:2021672; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (books.mrface.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|books|06|mrface|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021582; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|docume|09|sysbloger|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021577; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|drometic|06|suroot|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021576; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kieti|07|ipsecsl|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021583; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|np3|04|Jkub|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021580; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns8|05|ddns1|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021581; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|ohio|09|sysbloger|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021578; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|specs|05|dnsrd|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021579; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|djdkduep62kz4nzx"; fast_pattern; distance:0; nocase; reference:md5,1dd542bf3c1781df9a335f74eacc82a4; reference:url,malwr.com/analysis/YjllZWEzNmQ0MDA4NGNhNGIxYzIzNjU3YjczOTYxZjg/; classtype:trojan-activity; sid:2021363; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN AlphaCrypt .onion proxy Domain (tkjthigtqlvohs7z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tkjthigtqlvohs7z"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021319; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT Advtravel Campaign DNS Lookup (advtravel.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|advtravel|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020452; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT Advtravel Campaign DNS Lookup (fpupdate.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|fpupdate|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020453; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT Advtravel Campaign DNS Lookup (linksis.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|linksis|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020454; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (ahmedfaiez.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|ahmedfaiez|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020446; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (flushupate.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|flushupate|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020448; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (flushupdate.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|flushupdate|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020447; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (ineltdriver.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|ineltdriver|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020449; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (mediahitech.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|mediahitech|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020450; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (mixedwork.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|mixedwork|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020445; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (plmedgroup.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|plmedgroup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020451; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Arid Viper APT DNS Lookup (pstcmedia.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|pstcmedia|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020444; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0329a\x02de\x00/R"; content:"|03|29a|02|de|00|"; nocase; fast_pattern:only; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tlunjscxn5n76iyz"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|isaserver|06|minrex|03|gov|02|cu|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|karpeskmon|06|dyndns|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Careto Mask DNS Lookup (msupdate.ath.cx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|msupdate|03|ath|02|cx|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|l7gbml27czk3kvr5"; fast_pattern; distance:0; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|brk7tda32wtkxjpa"; nocase; distance:0; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ukzo73z4inzpenmq"; nocase; distance:0; fast_pattern; reference:md5,53752a41ed21172343f678423d6c9a44; classtype:trojan-activity; sid:2020458; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|des7siw5vfkznjhi"; fast_pattern; distance:0; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3fdzgtam4qk625n6"; nocase; distance:0; fast_pattern; reference:md5,adb0de790bd3fb88490a60f0dddd90fa; classtype:trojan-activity; sid:2020358; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7n4p5o6vlkdiqiee"; nocase; distance:0; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fizxfsi3cad3kn7v"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020361; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jssestaew3e7ao3q"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020360; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ohmva4gbywokzqso"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020226; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtrudrukmurps7tc"; nocase; distance:0; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmxlqabmvfnw4wp4"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020359; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sgqjml3dstgmarn3"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020357; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tzsvejrzduo52siy"; nocase; distance:0; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|33p5mqkaj22irv4z"; fast_pattern; distance:0; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iezqmd4s2fflmh7n"; fast_pattern; distance:0; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pf3tlgkpks7pu7yr"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020952; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|v7lfogalalzc2c4d."; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020953; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vacdgwaw5djp5hmu"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021549; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvha2ctkacx2ug3b"; fast_pattern; distance:0; nocase; reference:url,www.dropboxforum.com/hc/communities/public/questions/203834265-virus; classtype:trojan-activity; sid:2021325; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (zoqowm4kzz4cvvvl)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zoqowm4kzz4cvvvl"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020958; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoWall .onion Proxy Domain (7oqnsnzwwnm6zb7y)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7oqnsnzwwnm6zb7y"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020959; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (4elcqmis624seeo7)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4elcqmis624seeo7"; fast_pattern; distance:0; nocase; reference:url,teknoseyir.com/durum/291421; classtype:trojan-activity; sid:2020685; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|erhitnwfvpgajfbu"; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019123; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|juf5pjk4sl7uojh4"; fast_pattern; distance:0; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|r2bv3u64ytfi2ssf"; fast_pattern; nocase; distance:0; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019979; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymleyd4xs3it55m7"; fast_pattern; nocase; distance:0; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019984; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptowall 3.0 .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|paytoc4gtpn5czl2"; nocase; distance:0; fast_pattern; reference:url,malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html; classtype:trojan-activity; sid:2020182; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.bestcomputeradvisor.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.datajunction.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|datajunction|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.dataspotlight.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dataspotlight|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.gowin7.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|gowin7|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Gauss Domain *.guest-access.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|guest-access|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query Sinkhole Domain Various Families (Possible Infected Host)"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; content:"|0f|torpig-sinkhole|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:7;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas blackberry-support.herokuapp.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|blackberry-support|09|herokuapp|03|com|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019913; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas ecolines.es"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|ecolines|02|es|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019912; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas haarmannsi.cz"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|haarmannsi|02|cz|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Cloud Atlas sanygroup.co.uk"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|sanygroup|02|co|02|uk|00|"; fast_pattern; distance:0; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Known Chewbacca CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5ji235jysrvwfgmb|05|onion|00|"; fast_pattern; distance:0; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2018114; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|boltotor|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bonytor2|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious crptarv4hcu24ijv Domain - CryptoWall Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crptarv4hcu24ijv"; fast_pattern; distance:0; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020280; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious crptbfoi5i54ubez Domain - CryptoWall Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crptbfoi5i54ubez"; fast_pattern; distance:0; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020281; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious crptcj7wd4oaafdl Domain - CryptoWall Domains"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|crptcj7wd4oaafdl"; fast_pattern; distance:0; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020282; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|speecostor|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Suspicious tolotor.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tolotor|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020284; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|08|mynumber|03|org|00|"; distance:16; within:14; pcre:"/\x10[acdefghijlmopqrtwz]{16}\x08mynumber\x03org\x00/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7fa6gldxg64t5wnt"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (toxicola7qwv37qj)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|toxicola7qwv37qj"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; classtype:trojan-activity; sid:2021204; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wdthvb6jut2rupu4"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xwxwninkssujglja"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015728; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015721; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015719; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015730; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:bad-unknown; sid:2015720; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015722; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Request for Zaletelly CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:trojan-activity; sid:2014513; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Known OphionLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|smu743glzfrxsqcl"; fast_pattern; nocase; distance:0; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jaifr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jaifr|03|com"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013481; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jaifr.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|03|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013482; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.co.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|02|co|02|be"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.co.cc"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|02|co|02|cc"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain jifr.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|jifr|04|info"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013495; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.co.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|02|co|02|be"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.co.cc"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|02|co|02|cc"; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Morto RDP worm related domain qfsl.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|qfsl|03|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013480; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (adguard.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|adguard|04|name|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020036; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (coral-trevel.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|coral-trevel|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020037; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (ddnservice10.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice10|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020038; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020065; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020066; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (great-codes.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|great-codes|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020035; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (paradise-plaza.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|paradise-plaza|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020039; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (update-java.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|update-java|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:trojan-activity; sid:2020041; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (worldnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|worldnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:trojan-activity; sid:2020040; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (androcity.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|androcity|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020461; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (iwork-sys.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|iwork-sys|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020472; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (linkedim.in)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|linkedim|02|in|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020459; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon APT DNS Lookup (liptona.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|liptona|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020462; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (abuhmaid.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|abuhmaid|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020467; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (blogging-host.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0D|blogging-host|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020468; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (facebook-emoticons.bitblogoo.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|facebook-emoticons|09|bitblogoo|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020466; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (nauss-lab.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|nauss-lab|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020464; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (nice-mobiles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0C|nice-mobiles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020465; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Desert Falcon Related APT DNS Lookup (tvgate.rocks)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|tvgate|05|rocks|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:trojan-activity; sid:2020469; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|613cb6owitcouepv"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021561; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|decryptoraveidf7"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|encryptor3awk6px"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:2019454; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:2019455; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Hong Kong SWC Attack DNS Lookup (aoemvp.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aoemvp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020171; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger Backdoor.GTalkTrojan DNS Lookup (update.gtalklite.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|update|09|gtalklite|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021794; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|xssok|08|blogspot|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger Gh0ST/PlugX/Various Backdoors DNS Lookup (gameofthrones.ddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|gameofthrones|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021792; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger HTTPBrowser DNS Lookup (trendmicro-update.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|trendmicro-update|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021795; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger Likely PlugX DNS Lookup (chrome.servehttp.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|chrome|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021793; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain .ntkrnlpa.info Lookup"; content:"|08|ntkrnlpa|04|info|00|"; nocase; classtype:trojan-activity; sid:2012729; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup"; content:"|03|ilo|05|brenz|02|pl|00|"; nocase; classtype:trojan-activity; sid:2012730; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:8;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Likely CryptoWall .onion Proxy DNS lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kpai7ycr7jxqkilp"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2018609; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Likely CryptoWall 2.0 .onion Proxy domain lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|paytordmbdekmizq"; fast_pattern; nocase; distance:0; reference:url,malware-traffic-analysis.net/2014/11/14/index.html; classtype:trojan-activity; sid:2019736; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Likely Synolocker .onion DNS lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cypherxffttr7hho"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2018948; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN MewsSpy/NionSpy .onion Proxy Domain (z3mm6cupmtw5b2xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|z3mm6cupmtw5b2xx"; nocase; distance:0; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:2021019; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Naikon DNS Lookup (greensky27.vicp.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|greensky27|04|vicp|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,threatconnect.com/camerashy-resources/; classtype:trojan-activity; sid:2021831; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/WireLurker DNS Query Domain manhuaba.com.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|manhuaba|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019718; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX/WireLurker DNS Query Domain www.comeinbaby.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|comeinbaby|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019667; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN PlugX DNS Lookup (mailsecurityservice.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|mailsecurityservice|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2015/10/targeted-attacks-ngo-burma/; classtype:trojan-activity; sid:2021962; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|appeur|05|gnway|02|cc|00|"; nocase; distance:0; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN PlugX or EvilGrab DNS Lookup (websecexp.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|websecexp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021960; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ponmocup Post Infection DNS Lookup fasternation"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|fasternation|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2019695; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ponmocup Post Infection DNS Lookup intohave"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|intohave|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2019694; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ponmocup Post Infection DNS Lookup messagewild"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|messagewild|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2021642; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hlvumvvclxy2nw7j"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021534; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible PlugX DNS Lookup (googlemanage.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlemanage|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021935; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible PlugX DNS Lookup (operaa.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|operaa|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014376; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query for Known Hostile *test.3322.org.cn Domain"; content:"|01 00 00 01 00 00 00 00 00|"; depth:9; offset:2; content:"test|04|3322|03|org|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query to Known CnC Domain msnsolution.nicaze.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"nicaze|03|net"; fast_pattern; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Variant .onion proxy Domain (kurrmpfx6kgmsopm)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kurrmpfx6kgmsopm"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021318; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (Markshell.etowns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|Markshell|06|etowns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (apple.dynamic-dns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|apple|0b|dynamic-dns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020244; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (autocar.ServeUser.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|autocar|09|ServeUser|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020245; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (blackblog.chatnook.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|blackblog|08|chatnook|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (bulldog.toh.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|bulldog|03|toh|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (cew58e.xxxy.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|cew58e|04|xxxy|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (coastnews.darktech.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|coastnews|08|darktech|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020249; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (demon.4irc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|demon|04|4irc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020250; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (dynamic.ddns.mobi)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|dynamic|04|ddns|04|mobi|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (expert.4irc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|expert|04|4irc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (football.mrbasic.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|football|07|mrbasic|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (gjjb.flnet.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|gjjb|05|flnet|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (imirnov.ddns.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|imirnov|04|ddns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (jingnan88.chatnook.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|jingnan88|08|chatnook|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (lehnjb.epac.to)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|lehnjb|04|epac|02|to|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (logoff.25u.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|logoff|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (logoff.ddns.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|logoff|04|ddns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020259; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (ls910329.my03.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|ls910329|04|my03|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (mailru.25u.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|mailru|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (mydear.ddns.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|mydear|04|ddns|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (nazgul.zyns.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|nazgul|04|zyns|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (ndcinformation.acmetoy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|ndcinformation|07|acmetoy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (newdyndns.scieron.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|newdyndns|07|scieron|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (newoutlook.darktech.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|newoutlook|08|darktech|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (photocard.4irc.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|photocard|04|4irc|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (pricetag.deaftone.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|pricetag|08|deaftone|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (rubberduck.gotgeeks.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|rubberduck|08|gotgeeks|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (service.authorizeddns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|service|0d|authorizeddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (shutdown.25u.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|shutdown|03|25u|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (sorry.ns2.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|sorry|03|ns2|04|name|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (sskill.b0ne.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|sskill|04|b0ne|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (text-First.flnet.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|text-First|05|flnet|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (text-first.trickip.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|text-first|07|trickip|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (uudog.4pu.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|uudog|03|4pu|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (will-smith.dtdns.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|will-smith|05|dtdns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Scieron DNS Lookup (yellowblog.flnet.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|yellowblog|05|flnet|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020279; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup adawareblock.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|adawareblock|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019564; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup adobeincorp.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|adobeincorp|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019565; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup azureon-line.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|azureon-line|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019566; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup check-fix.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|check-fix|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019569; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkmalware.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|checkmalware|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019567; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkmalware.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|checkmalware|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019582; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup checkwinframe.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|checkwinframe|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019568; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup hotfix-update.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|hotfix-update|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019570; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup malwarecheck.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|malwarecheck|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:trojan-activity; sid:2019640; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup microsof-update.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|microsof-update|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019572; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup microsofi.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|microsofi|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019571; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup msonlinelive.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|msonlinelive|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019586; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup scanmalware.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|scanmalware|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019573; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup secnetcontrol.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|secnetcontrol|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019574; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup securitypractic.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitypractic|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019575; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup symanttec.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|symanttec|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019576; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup testservice24.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|testservice24|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019577; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup testsnetcontrol.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|testsnetcontrol|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019578; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup updatepc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|updatepc|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019579; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup updatesoftware24.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|updatesoftware24|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019580; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup windows-updater.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|windows-updater|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019581; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TR/Spy.Gen checkin via dns ANY query"; content:"|01 00 00 01 00 00 00 00 00 00 32|"; depth:11; offset:2; content:"|00 00 FF 00 01|"; pcre:"/\x32[0-9a-f]{50}/"; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,www.threatexpert.com/report.aspx?md5=2519bdb5459bc9f59f59cd7ccb147d23; classtype:trojan-activity; sid:2013516; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (3v6e2oe5y5ruimpe)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3v6e2oe5y5ruimpe"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020615; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cld7vqwcvn2bii67"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (h63rbx7gkd3gygag)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|h63rbx7gkd3gygag"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2020616; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpq4dub4rlivvswu"; fast_pattern; distance:0; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gzc7lj4rvmkg25dm"; fast_pattern; distance:0; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iq3ahijcfeont3xx"; fast_pattern; distance:0; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|is6xsotjdy4qtgur"; fast_pattern; distance:0; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (kb63vhjuk3wh4ex7)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kb63vhjuk3wh4ex7"; nocase; distance:0; fast_pattern; reference:md5,a9f29924410a14dea1eef8d75fed3b39; reference:url,www.malware-traffic-analysis.net/2015/08/24/index2.html; classtype:trojan-activity; sid:2021711; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7vhbukzxypxh3xfy"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021850; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|h36fhvsupe4mi7mm"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021849; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (allwayshappy.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|allwayshappy|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020044; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (casinoroyal7.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|casinoroyal7|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|cryptdomain|02|dp|02|ua|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (deadwalk32.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|deadwalk32|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020047; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (doubleclickads.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|doubleclickads|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020048; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (it-newsblog.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|it-newsblog|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (js-static.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|js-static|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (lagosadventures.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|lagosadventures|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (lebanonwarrior.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|lebanonwarrior|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (nigerianbrothers.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nigerianbrothers|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (octoberpics.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|octoberpics|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020054; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (princeofnigeria.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|princeofnigeria|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (royalgourp.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|royalgourp|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (server38.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|server38|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020057; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (ssl-server24.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ssl-server24|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020058; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (tweeter-stat.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|tweeter-stat|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (tweeterplanet.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|tweeterplanet|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020059; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (updatemyhost.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|updatemyhost|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020061; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (walkingdead32.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|walkingdead32|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020062; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup (worldnews247.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|worldnews247|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020063; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|server4love|02|ru|00|"; nocase; fast_pattern:only; reference:md5,8d2e901583b60631dc333d4b396e158b; classtype:trojan-activity; sid:2019396; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Torrentlocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zbqxpjfvltb6d62m"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (4bpthx5z4e7n6gnb)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|4bpthx5z4e7n6gnb"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020760; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (bc3ywvif4m3lnw4o)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bc3ywvif4m3lnw4o"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020761; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (llgerw4plyyff446)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|llgerw4plyyff446"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020762; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Vawtrak/NeverQuest .onion Proxy Domain (otsaa35gxbcwvrqs)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otsaa35gxbcwvrqs"; nocase; distance:0; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020759; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (carima2012.site90.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|carima2012|06|site90|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020815; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (dotnetexplorer.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dotnetexplorer|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020817; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (dotntexplorere.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dotntexplorere|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020818; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (erdotntexplore.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|erdotntexplore|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020820; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (explorerdotnt.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|explorerdotnt|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020816; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (saveweb.wink.ws)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|saveweb|04|wink|02|ws|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020814; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Volatile Cedar DNS Lookup (xploreredotnet.info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|xploreredotnet|04|info|00|"; nocase; distance:0; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020819; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Ascrirac .onion proxy Domain (5sse6j4kdaeh3yus)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5sse6j4kdaeh3yus"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2021317; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Chanitor.A DNS Lookup "; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|svcz25e3m4mwlauz"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2019519; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Critroni Tor DNS Proxy lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|23bteufi2kcqza2l"; distance:0; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Filecoder Ransomware Variant .onion Proxy Domain (tkj3higtqlvohs7z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tkj3higtqlvohs7z"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020942; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2017312; rev:4;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppift.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ppift|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015460; rev:3;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Spy.Obator .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|t2upiokua37wq2cx"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3671; classtype:trojan-activity; sid:2020168; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|epmhyca5ol6plmx3"; fast_pattern; distance:0; nocase; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:2;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN XCodeGhost DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|init|0f|crash-analytics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021808; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN XCodeGhost DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|init|0f|icloud-analysis|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021806; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN XCodeGhost DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|init|12|icloud-diagnostics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021807; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy DNS lookup July 31, 2014"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zxjfcvfvhqfqsrpz"; fast_pattern; nocase; distance:0; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3bjpwsf3fjcwtnwx"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020727; rev:1;)
drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mmc65z4xsgbcbazl"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2020684; rev:2;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3;)
drop udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3;)
drop udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014372; rev:5;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; classtype:trojan-activity; sid:2013935; rev:5;)
drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4;)
drop udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:2;)
drop udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2;)
drop udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1;)
drop udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8;)
drop udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern:only; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:3;)
drop udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3;)
drop udp any any -> 1.1.1.0 80 (msg:"ET TROJAN TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3;)
drop udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3;)
drop udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3;)
drop udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4;)
drop udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3;)
drop udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4;)
drop udp any any -> any 53 (msg:"ET TROJAN 9002 RAT C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|cache|05|dnsde|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2020713; rev:1;)
drop udp any any -> any 53 (msg:"ET TROJAN DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zpwibfsmoowehdsm|05|onion|00|"; nocase; distance:0; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:1;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|afwyhvinmw|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018272; rev:7;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|btloxcyrok|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018271; rev:7;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|jmxkowzoen|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018267; rev:6;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|njdyqrbioh|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018270; rev:6;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|pbcgmmympm|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018266; rev:7;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|qemyxsdigi|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018274; rev:7;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|qgjhmerjec|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018269; rev:6;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|tyixfhsfax|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018268; rev:6;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|vqvsaergek|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018265; rev:7;)
drop udp any any -> any 53 (msg:"ET TROJAN Perl/Calfbot C&C DNS request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|wyfxanxjeu|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018273; rev:8;)
drop udp any any -> any 53 (msg:"ET TROJAN Tor based locker .onion Proxy DNS lookup July 31, 2014"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iet7v4dciocgxhdv"; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:1;)
Starting SNORT rule download...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/botcc.portgrouped.rules: No
Warning: such file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/botcc.rules: No such file or
Warning: directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/ciarmy.rules: No such file or
Warning: directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/compromised.rules: No such
Warning: file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/dshield.rules: No such file or
Warning: directory
curl: (23) Failed writing body (0 != 3116)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-exploit.rules: No
Warning: such file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-malware.rules: No
Warning: such file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0 69089    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-mobile_malware.rules:
Warning: No such file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-user_agents.rules: No
Warning: such file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-web_client.rules: No
Warning: such file or directory
curl: (23) Failed writing body (0 != 16384)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-worm.rules: No such
Warning: file or directory
curl: (23) Failed writing body (0 != 9290)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file /tmp/ramdisk/emerging-current_events.rules:
Warning: No such file or directory
curl: (23) Failed writing body (0 != 16384)
 
Working on snort rules, please wait... may take up to a minute
/sbin/fw_upgrade: line 333: can't create /tmp/ramdisk/alert.list: nonexistent directory
sed: /tmp/ramdisk/alert.list: No such file or directory
/sbin/fw_upgrade: line 333: can't create /tmp/ramdisk/temp.rules: nonexistent directory
/sbin/fw_upgrade: line 333: can't create /tmp/ramdisk/snort.rules: nonexistent directory
sed: /tmp/ramdisk/temp.rules: No such file or directory
/sbin/fw_upgrade: line 333: cat: can't open '/tmp/ramdisk/snort.rules': No such file or directory
can't create /tmp/ramdisk/numbers.txt: nonexistent directory
/sbin/fw_upgrade: line 333: can't create /tmp/ramdisk/tst.sed: nonexistent directory
cat: can't open '/tmp/ramdisk/numbers.txt': No such file or directory
/sbin/fw_upgrade: line 333: can't create /tmp/ramdisk/snort.rules.tmp: nonexistent directory
cat: can't open '/tmp/ramdisk/snort.rules': No such file or directory
sed: can't open '/tmp/ramdisk/tst.sed': No such file or directory
sed: /tmp/ramdisk/snort.rules.tmp: No such file or directory
/sbin/fw_upgrade: line 333: can't create /tmp/ramdisk/snort.rules: nonexistent directory
cat: can't open '/tmp/ramdisk/snort.rules.tmp': No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
Removing snort rules determined by ITUS Networks to cause problems accessing web sites
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
sed: /tmp/ramdisk/snort.rules: No such file or directory
Shield has been restarted so using a fresh copy of snort rules
mv: can't rename '/tmp/ramdisk/snort.rules': No such file or directory
Updating ADS rules
Starting ads rule download...
/sbin/fw_upgrade: line 345: can't create /tmp/ramdisk/ads.tmp: nonexistent directory
(23) Failed writing body
/sbin/fw_upgrade: line 345: can't create /tmp/ramdisk/ads.tmp: nonexistent directory
/sbin/fw_upgrade: line 345: can't create /tmp/ramdisk/ads.tmp: nonexistent directory
/sbin/fw_upgrade: line 345: can't create /tmp/ramdisk/ads.tmp: nonexistent directory
/sbin/fw_upgrade: line 345: can't create /tmp/ramdisk/ads.tmp: nonexistent directory
Working on ads rules, sorting and deleting duplicates... may take up to 2 minutes
Number of lines in new ads rule downloads
wc: /tmp/ramdisk/ads.tmp: No such file or directory
cat: can't open '/tmp/ramdisk/ads.tmp': No such file or directory
/sbin/fw_upgrade: line 345: can't create /tmp/ramdisk/ads.tmp1: nonexistent directory
Number of lines following sorting and deleting duplicate rules
wc: /tmp/ramdisk/ads.tmp1: No such file or directory
mv: can't rename '/tmp/ramdisk/ads.tmp1': No such file or directory
 
Updating MALICIOUS rules
Starting malicious rule download...
/sbin/fw_upgrade: line 356: can't create /tmp/ramdisk/malicious.tmp: nonexistent directory
/sbin/fw_upgrade: line 356: can't create /tmp/ramdisk/malicious.tmp: nonexistent directory
(23) Failed writing body
/sbin/fw_upgrade: line 356: can't create /tmp/ramdisk/malicious.tmp: nonexistent directory
/sbin/fw_upgrade: line 356: can't create /tmp/ramdisk/malicious.tmp: nonexistent directory
Working on malicious rules, sorting and deleting duplicates... may take up to 2 minutes
Number of lines in new malicious rule downloads
wc: /tmp/ramdisk/malicious.tmp: No such file or directory
cat: can't open '/tmp/ramdisk/malicious.tmp': No such file or directory
/sbin/fw_upgrade: line 356: can't create /tmp/ramdisk/malicious.tmp1: nonexistent directory
Number of lines following sorting and deleting duplicate rules
wc: /tmp/ramdisk/malicious.tmp1: No such file or directory
mv: can't rename '/tmp/ramdisk/malicious.tmp1': No such file or directory
 
Updating WEB FILTER rules
/sbin/fw_upgrade: line 370: can't create /tmp/ramdisk/FILTERS: nonexistent directory
 
Restarting DNSMASQ service
 copying new sorted rules....this may take a minute.
Restarted DNSMASQ
 
Restarting SNORT service
(please ignore PID errors - these are expected)
Restarted SNORT
 
root@Shield:/tmp# sh /sbin/fw_upgrade
 
Starting SNORT rule download...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27645  100 27645    0     0   1796      0  0:00:15  0:00:15 --:--:-- 73134
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  404k  100  404k    0     0   438k      0 --:--:-- --:--:-- --:--:--  549k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 82581  100 82581    0     0   156k      0 --:--:-- --:--:-- --:--:--  168k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 57040  100 57040    0     0  71268      0 --:--:-- --:--:-- --:--:--  128k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3116  100  3116    0     0   7544      0 --:--:-- --:--:-- --:--:-- 10352
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  189k  100  189k    0     0   273k      0 --:--:-- --:--:-- --:--:--  313k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  387k  100  387k    0     0   364k      0  0:00:01  0:00:01 --:--:--  441k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 69089  100 69089    0     0   147k      0 --:--:-- --:--:-- --:--:--  155k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27867  100 27867    0     0  76610      0 --:--:-- --:--:-- --:--:-- 81721
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  125k  100  125k    0     0   221k      0 --:--:-- --:--:-- --:--:--  232k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9290  100  9290    0     0  29652      0 --:--:-- --:--:-- --:--:-- 31924
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  888k  100  888k    0     0   846k      0  0:00:01  0:00:01 --:--:--  868k
 
Working on snort rules, please wait... may take up to a minute
Removing snort rules determined by ITUS Networks to cause problems accessing web sites
It's been 1 days since last full update, will automatically do full update after 14 days
Updating ADS rules
Starting ads rule download...
Working on ads rules, sorting and deleting duplicates... may take up to 2 minutes
Number of lines in new ads rule downloads
36247 /tmp/ramdisk/ads.tmp
Number of lines following sorting and deleting duplicate rules
23898 /tmp/ramdisk/ads.tmp1
 
Updating MALICIOUS rules
Starting malicious rule download...
Working on malicious rules, sorting and deleting duplicates... may take up to 2 minutes
Number of lines in new malicious rule downloads
30669 /tmp/ramdisk/malicious.tmp
Number of lines following sorting and deleting duplicate rules
27343 /tmp/ramdisk/malicious.tmp1
 
Updating WEB FILTER rules
Starting web filter rule download
WARNING: timestamping does nothing in combination with -O. See the manual
for details.

--2016-05-22 13:44:01--  http://www.shallalist.de/Downloads/shallalist.tar.gz
Resolving www.shallalist.de... 46.4.77.203
Connecting to www.shallalist.de|46.4.77.203|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10023485 (9.6M) [application/x-gzip]
Saving to: '/tmp/ramdisk/shallalist.tar.gz'

/tmp/ramdisk/shallalist.ta 100%[========================================>]   9.56M  1014KB/s   in 12s    

2016-05-22 13:44:14 (845 KB/s) - '/tmp/ramdisk/shallalist.tar.gz' saved [10023485/10023485]

Successfully downloaded new web filter rules
tar: BL/illegal/domains: not found in archive
 
Restarting DNSMASQ service
sed: /mnt/ramdisk/ads: No such file or directory
sed: /mnt/ramdisk/illegal: No such file or directory
sed: /mnt/ramdisk/malicious: No such file or directory
Updated redirect ip address: 192.168.1.112: update_blacklist
 copying new sorted rules....this may take a minute.
Restarted DNSMASQ
 
Restarting SNORT service
(please ignore PID errors - these are expected)
Restarted SNORT
 
root@Shield:/tmp# sh /sbin/fw_upgrade
 
Starting SNORT rule download...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27645  100 27645    0     0  32993      0 --:--:-- --:--:-- --:--:-- 41949
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  404k  100  404k    0     0   529k      0 --:--:-- --:--:-- --:--:--  552k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 82581  100 82581    0     0  78103      0  0:00:01  0:00:01 --:--:-- 80331
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 57040  100 57040    0     0   126k      0 --:--:-- --:--:-- --:--:--  133k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3116  100  3116    0     0   4831      0 --:--:-- --:--:-- --:--:--  5050
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  189k  100  189k    0     0   323k      0 --:--:-- --:--:-- --:--:--  339k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  387k  100  387k    0     0   241k      0  0:00:01  0:00:01 --:--:--  244k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 69089  100 69089    0     0   112k      0 --:--:-- --:--:-- --:--:--  159k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 27867  100 27867    0     0  45096      0 --:--:-- --:--:-- --:--:-- 47152
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  125k  100  125k    0     0   242k      0 --:--:-- --:--:-- --:--:--  255k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9290  100  9290    0     0  17645      0 --:--:-- --:--:-- --:--:-- 18542
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  888k  100  888k    0     0   889k      0 --:--:-- --:--:-- --:--:--  916k
 
Working on snort rules, please wait... may take up to a minute
Removing snort rules determined by ITUS Networks to cause problems accessing web sites
It's been 2 days since last full update, will automatically do full update after 14 days
Updating ADS rules
Starting ads rule download...
Working on ads rules, sorting and deleting duplicates... may take up to 2 minutes
Number of lines in new ads rule downloads
36247 /tmp/ramdisk/ads.tmp
Number of lines following sorting and deleting duplicate rules
23898 /tmp/ramdisk/ads.tmp1
 
Updating MALICIOUS rules
Starting malicious rule download...
Working on malicious rules, sorting and deleting duplicates... may take up to 2 minutes
Number of lines in new malicious rule downloads
30669 /tmp/ramdisk/malicious.tmp
Number of lines following sorting and deleting duplicate rules
27343 /tmp/ramdisk/malicious.tmp1
 
Updating WEB FILTER rules
Starting web filter rule download
WARNING: timestamping does nothing in combination with -O. See the manual
for details.

--2016-05-22 13:47:11--  http://www.shallalist.de/Downloads/shallalist.tar.gz
Resolving www.shallalist.de... 46.4.77.203
Connecting to www.shallalist.de|46.4.77.203|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10023485 (9.6M) [application/x-gzip]
Saving to: '/tmp/ramdisk/shallalist.tar.gz'

/tmp/ramdisk/shallalist.ta 100%[========================================>]   9.56M  1022KB/s   in 11s    

2016-05-22 13:47:23 (864 KB/s) - '/tmp/ramdisk/shallalist.tar.gz' saved [10023485/10023485]

Successfully downloaded new web filter rules
tar: BL/illegal/domains: not found in archive
 
Restarting DNSMASQ service
sed: /mnt/ramdisk/illegal: No such file or directory
sed: /mnt/ramdisk/ads: No such file or directory
sed: /mnt/ramdisk/malicious: No such file or directory
Updated redirect ip address: 192.168.1.112: update_blacklist
 copying new sorted rules....this may take a minute.
Restarted DNSMASQ
 
Restarting SNORT service
(please ignore PID errors - these are expected)
Restarted SNORT
 
root@Shield:/tmp#
123