# Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2020, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for snort-2.9.0-enhanced. #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Loading...
"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"Server|3a| nginx"; http_header; file_data; content:"
<"; within:120; classtype:bad-unknown; sid:2011355; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; nocase; http_header; content:"User-Agent|3a| "; nocase; http_header; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_01, updated_at 2010_10_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS exploit kit x/load/svchost.exe"; flow:established,to_server; content:"GET"; http_method; content:"load/svchost.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011906; rev:2; metadata:created_at 2010_11_08, former_category EXPLOIT_KIT, updated_at 2020_05_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_23, updated_at 2010_11_23;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:2; metadata:created_at 2011_02_22, updated_at 2011_02_22;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:1; metadata:created_at 2011_03_17, former_category CURRENT_EVENTS, updated_at 2011_03_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012525; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012526; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"%PDF-"; distance:0; classtype:trojan-activity; sid:2012527; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"%PDF-"; distance:0; classtype:trojan-activity; sid:2012528; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; file_data; content:"MWL"; within:300; classtype:bad-unknown; sid:2012530; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:1; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:1; metadata:created_at 2011_03_31, updated_at 2011_03_31;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:""; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:2; metadata:created_at 2011_04_04, updated_at 2011_04_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern:only; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern:only; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:1; metadata:created_at 2011_04_13, updated_at 2011_04_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:4; metadata:created_at 2011_04_01, updated_at 2011_04_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:1; metadata:created_at 2011_04_28, updated_at 2011_04_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:1; metadata:created_at 2011_04_28, updated_at 2011_04_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; http_header; fast_pattern:only; content:"Set-Cookie|3a| "; http_header; content:"avtor="; http_header; within:40; classtype:trojan-activity; sid:2013011; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:1; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\">"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:1; metadata:created_at 2011_07_05, updated_at 2011_07_05;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:1; metadata:created_at 2011_07_11, updated_at 2011_07_11;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|
\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|>"; fast_pattern; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:2; metadata:created_at 2011_05_27, updated_at 2011_05_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"NACHA"; distance:0; classtype:bad-unknown; sid:2013474; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient.vulnerable; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; distance:0; classtype:bad-unknown; sid:2013484; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; distance:0; classtype:bad-unknown; sid:2013485; rev:2; metadata:created_at 2011_08_29, updated_at 2011_08_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; distance:0; classtype:bad-unknown; sid:2013486; rev:1; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:trojan-activity; sid:2013661; rev:1; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; distance:0; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, updated_at 2011_09_16;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:2; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013697; rev:2; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013698; rev:2; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"|0d 0a||0d 0a||0d 0a||0d 0a|"; distance:0; classtype:trojan-activity; sid:2013699; rev:2; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:bad-unknown; sid:2013805; rev:1; metadata:attack_target Client_Endpoint, created_at 2011_10_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:bad-unknown; sid:2013806; rev:1; metadata:attack_target Client_Endpoint, created_at 2011_10_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:2; metadata:created_at 2011_12_02, updated_at 2011_12_02;) #alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:2; metadata:created_at 2011_12_02, updated_at 2011_12_02;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:4; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; distance:0; content:"< $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; distance:0; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:2; metadata:created_at 2011_12_08, updated_at 2011_12_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:bad-unknown; sid:2014025; rev:2; metadata:created_at 2011_12_12, former_category EXPLOIT_KIT, updated_at 2011_12_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:trojan-activity; sid:2014031; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:trojan-activity; sid:2014032; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:trojan-activity; sid:2014033; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:trojan-activity; sid:2014034; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\">"; classtype:bad-unknown; sid:2014039; rev:1; metadata:created_at 2011_12_22, updated_at 2011_12_22;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:1; metadata:created_at 2011_12_30, updated_at 2011_12_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013775; rev:3; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013777; rev:3; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2010_10_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013690; rev:2; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013691; rev:2; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013692; rev:2; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013693; rev:6; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2011988; rev:5; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:""; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:5; metadata:created_at 2012_04_17, updated_at 2012_04_17;) #alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:5; metadata:created_at 2012_04_17, updated_at 2012_04_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set"; flow:established,to_client; content:!"302"; http_stat_code; content:"=_"; content:"_\; domain="; distance:1; within:10; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/C"; classtype:bad-unknown; sid:2014548; rev:2; metadata:created_at 2012_04_12, updated_at 2020_02_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - redirect received"; flow:established,to_client; content:"302"; http_stat_code; content:"=_"; content:"_\; domain="; distance:1; within:10; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/C"; classtype:bad-unknown; sid:2014547; rev:4; metadata:created_at 2012_04_12, updated_at 2020_02_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:2; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; content:"/images.php?t=81118"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014639; rev:3; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2020_04_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:2; metadata:created_at 2011_11_30, former_category EXPLOIT_KIT, updated_at 2011_11_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:2; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2020_04_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:2; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2012_04_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; classtype:trojan-activity; sid:2014665; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:2; metadata:created_at 2012_04_13, updated_at 2012_04_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:2; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:2; metadata:created_at 2012_05_23, former_category CURRENT_EVENTS, updated_at 2020_08_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:1; metadata:created_at 2012_05_23, updated_at 2012_05_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:3; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2017_12_11;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:" $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"GIF89a|01 3f|"; within:8; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:1; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2020_04_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:2; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2012_06_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; classtype:bad-unknown; sid:2014884; rev:1; metadata:created_at 2012_06_08, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:2; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:3; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, updated_at 2012_06_20;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:2; metadata:created_at 2012_06_20, updated_at 2012_06_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; distance:0; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:4; metadata:created_at 2011_04_04, updated_at 2011_04_04;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:1; metadata:created_at 2012_06_25, updated_at 2012_06_25;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:3; metadata:created_at 2012_06_22, updated_at 2012_06_22;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; within:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:2; metadata:created_at 2012_06_26, updated_at 2020_04_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:1; metadata:created_at 2012_06_29, updated_at 2012_06_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; within:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:4; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; distance:0; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:1; metadata:created_at 2012_07_02, updated_at 2012_07_02;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:2; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:1; metadata:created_at 2012_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:1; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:1; metadata:created_at 2012_07_12, updated_at 2012_07_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:2; metadata:created_at 2012_07_06, updated_at 2012_07_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:3; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:4; metadata:created_at 2011_03_15, updated_at 2011_03_15;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; fast_pattern:only; classtype:trojan-activity; sid:2015516; rev:1; metadata:created_at 2012_07_23, former_category CURRENT_EVENTS, updated_at 2012_07_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:2; metadata:created_at 2012_07_23, updated_at 2012_07_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:2; metadata:created_at 2012_06_26, updated_at 2012_06_26;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:1; metadata:created_at 2012_08_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; within:3; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:1; metadata:created_at 2012_08_06, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; distance:0; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:3; metadata:created_at 2012_08_07, updated_at 2012_08_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:3; metadata:created_at 2012_08_07, updated_at 2012_08_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:1; metadata:created_at 2012_08_07, updated_at 2012_08_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:1; metadata:created_at 2012_08_08, updated_at 2020_09_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:3; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:1; metadata:created_at 2012_08_28, updated_at 2012_08_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:9; metadata:created_at 2012_08_22, updated_at 2012_08_22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:3; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2020_04_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:3; metadata:created_at 2012_08_28, updated_at 2012_08_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; fast_pattern; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; content:"GET /t/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{32}\sHTTP\x2f1\./Ri"; content:"|0d 0a|Host|3a| "; distance:0; pcre:"/^[^\r\n]+\x3a1342\r\n/R"; classtype:bad-unknown; sid:2015672; rev:9; metadata:created_at 2012_08_29, former_category EXPLOIT_KIT, updated_at 2012_08_29;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:2; metadata:created_at 2012_09_05, former_category EXPLOIT_KIT, updated_at 2012_09_05;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:1; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015682; rev:1; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015683; rev:1; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; depth:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;) #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:2; metadata:created_at 2012_09_07, updated_at 2012_09_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:1; metadata:created_at 2012_09_11, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:1; metadata:created_at 2012_09_11, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:1; metadata:created_at 2012_09_11, updated_at 2020_09_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:1; metadata:created_at 2012_09_11, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:5; metadata:created_at 2012_09_17, updated_at 2012_09_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:1; metadata:created_at 2012_09_24, former_category EXPLOIT_KIT, updated_at 2012_09_24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:1; metadata:created_at 2012_09_24, former_category EXPLOIT_KIT, updated_at 2020_04_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:1; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:1; metadata:created_at 2012_10_09, updated_at 2012_10_09;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:" 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:1; metadata:created_at 2012_10_11, updated_at 2012_10_11;) #alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:1; metadata:created_at 2012_10_11, updated_at 2012_10_11;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:2; metadata:created_at 2012_10_18, updated_at 2012_10_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:2; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:2; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:4; metadata:created_at 2012_01_27, updated_at 2012_01_27;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:2; metadata:created_at 2012_10_24, former_category EXPLOIT_KIT, updated_at 2012_10_24;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:2; metadata:created_at 2012_10_24, former_category EXPLOIT_KIT, updated_at 2012_10_24;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2014036; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:1; metadata:created_at 2012_11_06, updated_at 2012_11_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:3; metadata:created_at 2012_11_06, updated_at 2012_11_06;) #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:2; metadata:created_at 2012_09_24, updated_at 2012_09_24;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:4; metadata:created_at 2012_11_08, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:2; metadata:created_at 2012_11_09, updated_at 2012_11_09;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:1; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:1; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2020_04_22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:1; metadata:created_at 2012_11_14, updated_at 2012_11_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:2; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:2; metadata:created_at 2012_11_19, former_category EXPLOIT_KIT, updated_at 2020_02_04;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:1; metadata:created_at 2012_11_21, former_category PHISHING, updated_at 2012_11_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:1; metadata:created_at 2012_11_23, updated_at 2020_04_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:1; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2012_11_26;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:1; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2012_11_26;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:2; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:2; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:2; metadata:created_at 2012_11_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; content:"GET /t/"; depth:7; pcre:"/^[a-f0-9]{32}\s*HTTP\/1\.[0-1]\r\n/R"; classtype:trojan-activity; sid:2015936; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:" Java/"; http_header; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:1; metadata:created_at 2012_11_27, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:" Java/"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:1; metadata:created_at 2012_11_27, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:1; metadata:created_at 2012_11_27, updated_at 2012_11_27;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:1; metadata:created_at 2012_11_27, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:6; metadata:created_at 2012_10_06, former_category EXPLOIT_KIT, updated_at 2017_09_08;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:1; metadata:created_at 2012_11_28, former_category CURRENT_EVENTS, updated_at 2012_11_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:1; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2012_11_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; fast_pattern:only; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2020_04_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:10; metadata:created_at 2012_11_29, updated_at 2012_11_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:8; metadata:created_at 2012_11_29, updated_at 2012_11_29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:10; metadata:created_at 2012_11_29, updated_at 2020_09_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1; metadata:created_at 2012_12_03, former_category EXPLOIT_KIT, updated_at 2012_12_03;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:1; metadata:created_at 2012_12_03, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:1; metadata:created_at 2012_12_03, updated_at 2020_09_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:1; metadata:created_at 2012_12_04, former_category CURRENT_EVENTS, updated_at 2017_06_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:1; metadata:created_at 2012_12_05, updated_at 2012_12_05;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:1; metadata:created_at 2012_12_05, former_category EXPLOIT_KIT, updated_at 2012_12_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:1; metadata:created_at 2012_12_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:3; metadata:created_at 2012_12_05, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:4; metadata:created_at 2012_11_23, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:4; metadata:created_at 2012_12_07, former_category CURRENT_EVENTS, updated_at 2012_12_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:1; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_12, updated_at 2012_12_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:3; metadata:created_at 2012_12_07, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016052; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:1; metadata:created_at 2012_12_17, updated_at 2012_12_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:2; metadata:created_at 2012_12_17, updated_at 2012_12_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_header; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:2; metadata:created_at 2012_12_20, updated_at 2012_12_20;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:2; metadata:created_at 2012_12_20, updated_at 2012_12_20;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:1; metadata:created_at 2012_12_27, former_category EXPLOIT_KIT, updated_at 2020_04_22;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:1; metadata:created_at 2012_12_27, updated_at 2012_12_27;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:trojan-activity; sid:2016106; rev:1; metadata:created_at 2012_12_28, updated_at 2012_12_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:1; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:2; metadata:created_at 2012_12_30, updated_at 2012_12_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:2; metadata:created_at 2012_12_30, updated_at 2012_12_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern:only; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:2; metadata:created_at 2012_12_30, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:4; metadata:created_at 2012_12_12, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:2; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern:only; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:1; metadata:created_at 2013_01_04, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:2; metadata:created_at 2013_01_08, updated_at 2013_01_08;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:8; metadata:created_at 2012_12_03, updated_at 2012_12_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:bad-unknown; sid:2016191; rev:5; metadata:created_at 2013_01_11, former_category EXPLOIT_KIT, updated_at 2013_01_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:1; metadata:created_at 2013_01_15, former_category EXPLOIT_KIT, updated_at 2020_04_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:4; metadata:created_at 2013_01_18, former_category EXPLOIT_KIT, updated_at 2013_01_18;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:5; metadata:created_at 2013_01_21, updated_at 2013_01_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:5; metadata:created_at 2013_01_21, updated_at 2020_04_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:" Java/"; http_header; classtype:bad-unknown; sid:2016249; rev:5; metadata:created_at 2013_01_21, former_category EXPLOIT_KIT, updated_at 2013_01_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2016250; rev:5; metadata:created_at 2013_01_21, former_category EXPLOIT_KIT, updated_at 2013_01_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:1; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:1; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2013_01_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:1; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:1; metadata:created_at 2013_01_24, updated_at 2020_04_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:3; metadata:created_at 2013_01_28, updated_at 2013_01_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:3; metadata:created_at 2013_01_28, updated_at 2013_01_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:7; metadata:created_at 2013_01_28, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:1; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:3; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2013_01_29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:5; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2020_09_18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:4; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2020_09_18;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern:only; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016319; rev:1; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:2; metadata:created_at 2012_10_31, former_category EXPLOIT_KIT, updated_at 2012_10_31;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:4; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2020_09_18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; nocase; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:2; metadata:created_at 2012_12_07, former_category EXPLOIT_KIT, updated_at 2020_09_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:10; metadata:created_at 2012_11_28, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:" Java/1."; http_header; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:1; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:1; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:1; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2013_02_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:1; metadata:created_at 2013_02_06, former_category EXPLOIT_KIT, updated_at 2013_02_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:1; metadata:created_at 2013_02_06, former_category EXPLOIT_KIT, updated_at 2013_02_06;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:trojan-activity; sid:2016373; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016374; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016375; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016378; rev:1; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:1; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:3; metadata:created_at 2013_02_14, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:2; metadata:created_at 2013_02_14, updated_at 2020_04_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:2; metadata:created_at 2013_02_14, updated_at 2020_04_23;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016426; rev:2; metadata:created_at 2013_02_18, former_category EXPLOIT_KIT, updated_at 2013_02_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016490; rev:9; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016491; rev:9; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016492; rev:9; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016493; rev:9; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2013_02_22;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:6; metadata:created_at 2013_02_25, updated_at 2013_02_25;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:3; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2013_01_31;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016514; rev:1; metadata:created_at 2013_03_04, updated_at 2013_03_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016521; rev:1; metadata:created_at 2013_03_04, former_category EXPLOIT_KIT, updated_at 2020_09_18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:1; metadata:created_at 2013_03_04, former_category EXPLOIT_KIT, updated_at 2020_09_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:2; metadata:created_at 2013_03_05, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:1; metadata:created_at 2013_03_05, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:2; metadata:created_at 2013_03_05, updated_at 2020_04_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:3; metadata:created_at 2013_03_08, updated_at 2013_03_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"/get?src="; http_uri; fast_pattern; content:"snet"; http_uri; distance:0; pcre:"/\/get\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_header; classtype:trojan-activity; sid:2016566; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:1; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2013_03_15;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:5; metadata:created_at 2013_03_15, former_category EXPLOIT_KIT, updated_at 2013_03_15;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:5; metadata:created_at 2013_03_18, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:3; metadata:created_at 2013_03_19, former_category HUNTING, updated_at 2013_03_19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:1; metadata:created_at 2013_03_21, updated_at 2020_04_24;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:1; metadata:created_at 2013_03_21, updated_at 2013_03_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; nocase; within:500; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:4; metadata:created_at 2013_03_21, updated_at 2013_03_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:6; metadata:created_at 2012_12_21, updated_at 2012_12_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016704; rev:2; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; content:"visited=TRUE"; fast_pattern; content:"visited=TRUE"; http_cookie; content:"mutex="; http_cookie; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014407; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_06_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"ited=TRUE|3b| mutex="; fast_pattern:only; content:"visited=TRUE|3b| mutex="; http_cookie; depth:20; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014408; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_04_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:6; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:5; metadata:created_at 2013_04_02, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:3; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:4; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:3; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:3; metadata:created_at 2013_04_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2013_04_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:1; metadata:created_at 2013_04_08, former_category EXPLOIT_KIT, updated_at 2013_04_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016735; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016736; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:10; metadata:created_at 2013_04_09, updated_at 2013_04_09;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:""; within:100; classtype:attempted-user; sid:2012624; rev:4; metadata:created_at 2011_04_02, updated_at 2011_04_02;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:2; metadata:created_at 2012_12_17, updated_at 2020_04_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:4; metadata:created_at 2012_12_20, updated_at 2012_12_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:1; metadata:created_at 2013_04_22, updated_at 2013_04_22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; fast_pattern; content:"User-Agent|3A| Mozilla"; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6; metadata:created_at 2012_06_15, updated_at 2020_04_24;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:2; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:2; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:" Java/"; http_header; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:2; metadata:created_at 2013_03_19, updated_at 2013_03_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_28, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:8; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:6; metadata:created_at 2012_10_26, updated_at 2012_10_26;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_header; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:4; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:3; metadata:created_at 2012_12_27, former_category EXPLOIT_KIT, updated_at 2012_12_27;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_28, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016804; rev:1; metadata:created_at 2013_04_30, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_02, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:2; metadata:created_at 2013_04_30, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_header; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:12; metadata:created_at 2012_11_30, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016828; rev:4; metadata:created_at 2013_05_07, updated_at 2013_05_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:1; metadata:created_at 2013_05_07, updated_at 2013_05_07;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:2; metadata:created_at 2013_05_07, updated_at 2013_05_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:3; metadata:created_at 2013_05_09, updated_at 2020_04_24;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:2; metadata:created_at 2013_05_15, updated_at 2013_05_15;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016859; rev:1; metadata:created_at 2013_05_16, updated_at 2013_05_16;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:2; metadata:created_at 2013_05_20, updated_at 2020_03_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016832; rev:4; metadata:created_at 2013_05_07, updated_at 2013_05_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:7; metadata:created_at 2012_08_03, former_category EXPLOIT_KIT, updated_at 2012_08_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:11; metadata:created_at 2013_05_24, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:10; metadata:created_at 2013_05_24, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:").)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:1; metadata:created_at 2013_05_24, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:10; metadata:created_at 2013_05_24, updated_at 2013_05_24;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:1; metadata:created_at 2013_05_24, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:10; metadata:created_at 2013_05_24, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016930; rev:1; metadata:created_at 2013_05_24, updated_at 2013_05_24;) #alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;) #alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"|0d 0a 0d 0a|PK"; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:2; metadata:created_at 2013_04_26, updated_at 2013_04_26;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; fast_pattern:only; content:"GET "; depth:4; pcre:"/^[^\r\n]*\/[0-9]{4}\.html HTTP\/1\./R"; content:".html HTTP/1."; classtype:trojan-activity; sid:2016786; rev:2; metadata:created_at 2013_04_26, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"filename="; pcre:"/^[a-z]{4}\.txt\x0D\x0A/R"; classtype:trojan-activity; sid:2016787; rev:2; metadata:created_at 2013_04_26, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; content:"
]*?>((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version|3a 22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:5; metadata:created_at 2013_05_29, updated_at 2013_05_29;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:" Java/1"; http_header; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:2; metadata:created_at 2012_12_28, updated_at 2020_02_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:3; metadata:created_at 2012_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:3; metadata:created_at 2012_12_07, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:1; metadata:created_at 2013_06_03, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:3; metadata:created_at 2013_02_06, former_category CURRENT_EVENTS, updated_at 2013_02_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET [81:90,443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; content:"a5chZev!"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7; metadata:created_at 2013_06_03, updated_at 2013_06_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:8; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2020_02_10;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:11; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;) #alert tcp $HOME_NET any -> $EXTERNAL_NET [81:90,9090] (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; content:".pkg HTTP/1."; nocase; pcre:"/^[^\r\n]+?\/\d+\.pkg HTTP\/1\./i"; classtype:trojan-activity; sid:2016943; rev:6; metadata:created_at 2013_05_29, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:""; content:"[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:4; metadata:created_at 2013_05_09, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:1; metadata:created_at 2013_06_13, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017016; rev:4; metadata:created_at 2013_06_13, updated_at 2013_06_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017017; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017018; rev:3; metadata:created_at 2013_06_13, updated_at 2013_06_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_header; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:1; metadata:created_at 2013_06_14, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:1; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:1; metadata:created_at 2013_06_19, updated_at 2013_06_19;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:1; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:1; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2013_06_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2017041; rev:1; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017042; rev:1; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017043; rev:1; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017044; rev:1; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:5; metadata:created_at 2013_02_18, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:4; metadata:created_at 2013_04_28, updated_at 2013_04_28;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:3; metadata:created_at 2013_05_03, updated_at 2013_05_03;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_header; classtype:trojan-activity; sid:2017020; rev:10; metadata:created_at 2013_06_14, updated_at 2013_06_14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:7; metadata:created_at 2013_02_16, former_category EXPLOIT_KIT, updated_at 2020_09_18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:1; metadata:created_at 2013_06_26, former_category EXPLOIT_KIT, updated_at 2020_09_18;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:1; metadata:created_at 2013_06_26, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:1; metadata:created_at 2013_06_27, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:1; metadata:created_at 2015_04_29, updated_at 2015_04_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:1; metadata:created_at 2015_04_30, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET "; depth:4; content:"/5/"; distance:0; content:"/"; distance:32; within:1; content:"http%3A%2F%2F"; within:17; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/5\/[a-f0-9]{32}\/%20http%3A%2F%2F/i"; classtype:trojan-activity; sid:2021034; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:2; content:"|20|HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^GET [^\s]*?\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/? HTTP\/1\.[01]\r\n/"; content:"/%20http%3A%2F"; distance:0; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:1; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:2; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:2; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:2; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:2; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:2; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:1; metadata:created_at 2015_05_04, former_category EXPLOIT_KIT, updated_at 2015_05_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_14, updated_at 2015_04_14;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:3; metadata:created_at 2013_06_17, former_category CURRENT_EVENTS, updated_at 2013_06_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:1; metadata:created_at 2015_05_13, updated_at 2015_05_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:1; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:1; metadata:created_at 2015_05_16, updated_at 2015_05_16;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:1; metadata:created_at 2015_05_21, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:1; metadata:created_at 2015_05_22, updated_at 2020_02_10;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:trojan-activity; sid:2020392; rev:3; metadata:created_at 2015_02_10, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:1; metadata:created_at 2015_06_09, updated_at 2015_06_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:3; metadata:created_at 2015_06_09, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern:55,20; isdataat:!3,relative; classtype:trojan-activity; sid:2021249; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern:only; content:"long2str"; nocase; content:"str2long"; nocase; classtype:trojan-activity; sid:2021218; rev:2; metadata:created_at 2015_06_09, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:trojan-activity; sid:2021291; rev:3; metadata:created_at 2015_06_18, updated_at 2015_06_18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/win.html"; http_uri; fast_pattern:only; pcre:"/\/win\.html$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/Hsi"; classtype:trojan-activity; sid:2021292; rev:1; metadata:created_at 2015_06_18, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; depth:3; content:"/%20http%3A%2F"; distance:0; nocase; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/%20http%3A%2F/i"; classtype:trojan-activity; sid:2021033; rev:3; metadata:created_at 2015_04_29, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"|20|HTTP/1."; distance:0; content:"Java/"; distance:0; fast_pattern; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)? HTTP\/1\./"; classtype:trojan-activity; sid:2021035; rev:4; metadata:created_at 2015_04_29, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"GET"; depth:3; content:"/5/"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})? HTTP\/1\./"; content:"Referer|3a 20|"; distance:0; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r/R"; classtype:trojan-activity; sid:2021037; rev:6; metadata:created_at 2015_04_29, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET /"; depth:5; content:"/%3Ahttp%3A%2F"; distance:0; fast_pattern; content:"|20|HTTP/1."; distance:0; pcre:"/^GET \/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/%3Ahttp%3A%2F/i"; classtype:trojan-activity; sid:2021305; rev:1; metadata:created_at 2015_06_19, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|3b 20|url"; distance:0; content:"/999/00000/|0d 0a|"; distance:0; fast_pattern; content:"Refresh|3a 20|"; pcre:"/^\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Rm"; classtype:trojan-activity; sid:2021306; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"|20 2f|"; offset:3; depth:3; content:"/4/"; fast_pattern:only; pcre:"/^(?:GET|POST) \/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})? HTTP\/1\./"; content:"Referer|3a 20|"; distance:0; pcre:"/^[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Rm"; classtype:trojan-activity; sid:2021308; rev:1; metadata:created_at 2015_06_19, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a 0d 0a|"; distance:0; content:"ScriptEngineMajorVersion"; distance:0; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern:only; classtype:trojan-activity; sid:2021310; rev:1; metadata:created_at 2015_06_19, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:trojan-activity; sid:2021313; rev:1; metadata:created_at 2015_06_19, updated_at 2015_06_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021320; rev:1; metadata:created_at 2015_06_22, updated_at 2015_06_22;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; depth:4; content:"0/"; distance:0; content:"|20|HTTP/1."; distance:0; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; distance:0; fast_pattern:21,20; content:"%"; distance:0; pcre:"/^POST \/[a-z]+\/[a-z]+\//"; content:"|0d 0a 0d 0a|"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/R"; classtype:trojan-activity; sid:2021038; rev:5; metadata:created_at 2015_04_29, updated_at 2015_04_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:2; metadata:created_at 2015_05_21, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021169; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_06_25, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern:only; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:trojan-activity; sid:2021364; rev:1; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern:only; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:trojan-activity; sid:2021373; rev:1; metadata:created_at 2015_07_01, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern:46,20; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:trojan-activity; sid:2021374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern:only; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:trojan-activity; sid:2021394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern:only; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:trojan-activity; sid:2021405; rev:4; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; content:!"/"; offset:1; http_uri; content:".asp"; http_uri; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/U"; pcre:"/[a-z].*?[a-z]/U"; pcre:"/[A-Z].*?[A-Z]/U"; pcre:"/\d.*?\d/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/Hm"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2021407; rev:3; metadata:created_at 2015_07_13, updated_at 2020_02_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; content:"/movie.swf"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2021414; rev:2; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".dll"; classtype:trojan-activity; sid:2021429; rev:2; metadata:created_at 2015_07_15, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:trojan-activity; sid:2021435; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:trojan-activity; sid:2021507; rev:1; metadata:created_at 2015_07_22, updated_at 2015_07_22;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern:only; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:1; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"|20|/"; offset:3; depth:3; content:"/5/"; fast_pattern; distance:0; content:"HTTP/1."; distance:0; content:"|0d 0a|"; distance:1; within:2; pcre:"/^[A-Z]{3,4} [^\s]*?\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)? HTTP\/1\.[01]\r\n/"; classtype:trojan-activity; sid:2021036; rev:5; metadata:created_at 2015_04_29, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:trojan-activity; sid:2020623; rev:2; metadata:created_at 2015_03_05, updated_at 2015_03_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; content:".xap"; nocase; fast_pattern:only; http_uri; pcre:"/\/\d{2,}\.xap$/Ui"; classtype:trojan-activity; sid:2018402; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021542; rev:1; metadata:created_at 2015_07_28, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021543; rev:1; metadata:created_at 2015_07_28, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern:25,20; classtype:trojan-activity; sid:2021544; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/U"; classtype:trojan-activity; sid:2021552; rev:1; metadata:created_at 2015_07_30, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:trojan-activity; sid:2021559; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:trojan-activity; sid:2018909; rev:3; metadata:created_at 2014_08_07, former_category EXPLOIT_KIT, updated_at 2014_08_07;) #alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:1; metadata:created_at 2015_08_04, updated_at 2015_08_04;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern:only; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2021620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2021637; rev:1; metadata:created_at 2015_08_17, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; classtype:trojan-activity; sid:2021638; rev:1; metadata:created_at 2015_08_17, former_category CURRENT_EVENTS, updated_at 2018_04_03;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET /"; depth:5; content:".html&"; distance:0; fast_pattern; content:"/"; distance:-47; content:"HTTP/1."; distance:0; pcre:"/^GET (?:\/[^\x2f]+){0,3}?\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})? HTTP\/1\./"; classtype:trojan-activity; sid:2021639; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET /"; depth:5; content:"HTTP/1."; content:"|0d 0a|"; distance:1; within:2; content:"Referer|3a|"; distance:0; content:"|3a|443/"; distance:0; fast_pattern; pcre:"/^GET (?:\/[^\x2f]+){0,3}?\/\d\/?[A-Z]+\/[a-f0-9]{40}\/ HTTP\/1\./"; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021640; rev:1; metadata:created_at 2015_08_17, updated_at 2015_08_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:trojan-activity; sid:2021696; rev:1; metadata:created_at 2015_08_19, updated_at 2015_08_19;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:trojan-activity; sid:2021698; rev:1; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:trojan-activity; sid:2021699; rev:1; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:trojan-activity; sid:2020895; rev:5; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:1; metadata:created_at 2015_08_24, updated_at 2015_08_24;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:trojan-activity; sid:2021707; rev:2; metadata:created_at 2015_08_24, former_category EXPLOIT_KIT, updated_at 2015_08_24;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:trojan-activity; sid:2021726; rev:1; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:trojan-activity; sid:2021727; rev:1; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:trojan-activity; sid:2021728; rev:1; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PawnStorm Sednit DL Aug 28 2015"; flow:established,to_server; content:"/cormac.mcr"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021729; rev:1; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2020_06_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:trojan-activity; sid:2021740; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"=l3S"; http_uri; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; classtype:trojan-activity; sid:2020722; rev:2; metadata:created_at 2015_03_20, updated_at 2020_06_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:trojan-activity; sid:2020426; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;) #alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful DHL Account Phish 2015-11-03"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"fullname="; fast_pattern; depth:9; http_client_body; nocase; content:"&address="; http_client_body; nocase; distance:0; content:"&phonenumber="; http_client_body; nocase; distance:0; content:"&postcode="; http_client_body; nocase; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2029653; rev:1; metadata:created_at 2015_09_03, former_category PHISHING, updated_at 2020_03_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive"; fast_pattern:7,20; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; classtype:trojan-activity; sid:2025004; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_16;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"Content-Type|3a 20|application/postscript|0d 0a|"; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; content:"Content-Disposition|3a 20|inline|3b| filename="; pcre:"/^[a-z]{10}\.[a-z]{3}\r\n\r\n/R"; classtype:trojan-activity; sid:2021064; rev:2; metadata:created_at 2015_05_07, updated_at 2015_05_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern:18,20; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021762; rev:1; metadata:created_at 2015_09_12, updated_at 2015_09_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:trojan-activity; sid:2021764; rev:1; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?rnd="; http_uri; fast_pattern:only; content:"&id="; http_uri; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021786; rev:1; metadata:created_at 2015_09_16, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern:only; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021787; rev:1; metadata:created_at 2015_09_16, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload"; flow:established,from_server; content:"nginx"; http_header; content:"X-Powered-By|3a|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; http_header; fast_pattern:20,20; classtype:trojan-activity; sid:2021765; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"
$EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/snitch?default|5f|keyword="; depth:24; http_uri; fast_pattern; content:"&referrer="; http_uri; distance:0; content:"&se_referrer="; http_uri; distance:0; content:"&source="; http_uri; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_06_02;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Sep 30 2015"; flow:to_server,established; urilen:5; content:"/052F"; http_uri; classtype:trojan-activity; sid:2021870; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_06_02;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; content:"|2e 20|HTTP/1."; fast_pattern:only; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/U"; classtype:trojan-activity; sid:2019176; rev:2; metadata:created_at 2014_09_15, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:trojan-activity; sid:2019542; rev:8; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern:only; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:trojan-activity; sid:2021905; rev:1; metadata:created_at 2015_10_06, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern:only; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:trojan-activity; sid:2021906; rev:1; metadata:created_at 2015_10_06, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern:only; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:trojan-activity; sid:2021907; rev:1; metadata:created_at 2015_10_06, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:trojan-activity; sid:2021908; rev:2; metadata:created_at 2015_10_06, updated_at 2015_10_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021939; rev:5; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear Multiple Router Auth Bypass"; flow:to_server,established; content:"/BRS_netgear_success.html"; depth:25; nocase; http_uri; fast_pattern:5,20; reference:url,www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html; classtype:attempted-admin; sid:2021944; rev:1; metadata:created_at 2015_10_12, updated_at 2020_06_02;) #alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;) #alert tcp $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magento Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/magmi-importer/web/"; fast_pattern; http_uri; content:"download_file.php?file="; http_uri; distance:0; content:"|2e 2e 2f|"; http_raw_uri; content:!"Referer|3a|"; http_header; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:1; metadata:created_at 2015_10_15, updated_at 2020_06_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:"/index.php?"; http_uri; content:"="; distance:1; within:1; http_uri; content:!"=aHR0"; http_uri; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2030249; rev:6; metadata:created_at 2013_10_01, former_category CURRENT_EVENTS, updated_at 2020_06_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:1; metadata:created_at 2015_10_21, updated_at 2015_10_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern:only; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:""; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021985; rev:3; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"Sign in"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; classtype:trojan-activity; sid:2025692; rev:1; metadata:created_at 2015_10_22, former_category CURRENT_EVENTS, updated_at 2018_07_12;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:trojan-activity; sid:2022001; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:trojan-activity; sid:2021708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:trojan-activity; sid:2022009; rev:2; metadata:created_at 2015_10_29, updated_at 2015_10_29;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_header; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:3; metadata:created_at 2013_11_21, updated_at 2013_11_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"1="; depth:2; http_client_body; content:"&2="; http_client_body; nocase; distance:0; content:"Log+In=Log+In"; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022017; rev:2; metadata:created_at 2015_11_02, updated_at 2020_06_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish 2015-10-30 2"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"name="; depth:5; http_client_body; content:"&adress1="; http_client_body; nocase; distance:0; content:"&phone="; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022018; rev:1; metadata:created_at 2015_11_02, former_category PHISHING, updated_at 2020_06_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish 2015-10-30 3"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"chldr="; depth:7; http_client_body; content:"&ccnum="; http_client_body; nocase; distance:0; content:"&password="; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022019; rev:1; metadata:created_at 2015_11_02, former_category PHISHING, updated_at 2020_06_05;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<>/F 4/A<"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:trojan-activity; sid:2022029; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"Meet Google Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022035; rev:1; metadata:created_at 2015_11_04, former_category CURRENT_EVENTS, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible vBulletin object injection vulnerability Attempt"; flow:established,to_server; content:"/api/hook/decodeArguments"; nocase; http_uri; content:"arguments="; nocase; http_uri; content:"|7b|"; distance:0; http_uri; content:"|3a|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"free_result"; nocase; distance:0; http_uri; reference:url,blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html; classtype:attempted-admin; sid:2022039; rev:1; metadata:created_at 2015_11_05, updated_at 2020_06_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern:only; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:trojan-activity; sid:2022040; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS AES Crypto Observed in Javascript - Possible Phishing Landing"; flow:established,from_server; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern:40,20; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:trojan-activity; sid:2025656; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; content:".php?sid="; http_uri; offset:4; depth:26; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/U"; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_02_21;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern:9,20; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2021746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_04, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:trojan-activity; sid:2022083; rev:1; metadata:created_at 2015_11_13, updated_at 2015_11_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:5; metadata:created_at 2015_08_10, former_category CURRENT_EVENTS, updated_at 2015_08_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022112; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; content:".php?id=4"; http_uri; offset:4; depth:25; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/U"; content:!"|0d 0a|Cookie|3a|"; content:!".hostingcatalog.com|0d 0a|"; http_header; nocase; classtype:trojan-activity; sid:2022071; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_02_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022093; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; depth:13; content:"Content-Type|3a 20|application/octet-stream"; http_header; content:"Accept-Ranges|3a 20|bytes|0d 0a|Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; http_header; fast_pattern:42,20; pcre:"/\x20filename=\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2022135; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_09;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern:31,20; pcre:"/^\d+\x3b/R"; classtype:trojan-activity; sid:2021338; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_24, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, updated_at 2015_11_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern:only; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:2; metadata:created_at 2015_12_04, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern:only; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:trojan-activity; sid:2022242; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2022290; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern:only; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:trojan-activity; sid:2022304; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:!"smartsvn.com"; http_header; file_data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017181; rev:6; metadata:created_at 2013_07_23, updated_at 2020_06_16;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:trojan-activity; sid:2022312; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:trojan-activity; sid:2022313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:trojan-activity; sid:2022338; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:1; metadata:created_at 2016_01_06, former_category CURRENT_EVENTS, updated_at 2016_01_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:3; metadata:created_at 2016_01_06, former_category CURRENT_EVENTS, updated_at 2016_01_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; content:"GET"; http_method; content:"/wp-"; http_uri; depth:4; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,ET.wpphish; flowbits:noalert; classtype:trojan-activity; sid:2025696; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2016_01_07, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, tag Wordpress, updated_at 2020_08_24;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1; metadata:created_at 2016_01_11, former_category COINMINER, updated_at 2016_01_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern:only; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:1; metadata:created_at 2016_01_19, former_category CURRENT_EVENTS, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; content:"/?keyword="; http_uri; fast_pattern:only; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/U"; classtype:trojan-activity; sid:2022493; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html HTTP/"; fast_pattern; offset:37; depth:11; content:"GET /"; depth:5; pcre:"/^[0-9a-f]{32}\.html HTTP\/1\./R"; content:"Referer|3a|"; classtype:bad-unknown; sid:2016952; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:trojan-activity; sid:2017649; rev:4; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_header; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017648; rev:5; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017706; rev:5; metadata:created_at 2013_11_12, former_category CURRENT_EVENTS, updated_at 2013_11_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:trojan-activity; sid:2019544; rev:5; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;) #alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; content:"GET /"; depth:5; content:".php?"; distance:0; content:"HTTP/1."; distance:0; pcre:"/^GET \/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+ HTTP\/1\./"; content:!"Referer|3a|"; distance:0; content:"User-Agent|3a|"; distance:0; pcre:"/^[^\r\n]+?WinHttp.WinHttpRequest/R"; content:"WinHttp.WinHttpRequest"; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2019752; rev:8; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:4; metadata:created_at 2014_02_14, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:13; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022622; rev:1; metadata:created_at 2016_03_16, updated_at 2020_09_15;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_18, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; content:"/index.php?"; http_uri; depth:11; content:"=l3S"; fast_pattern; http_uri; offset:26; depth:4; content:"/?"; http_header; content:"=l3S"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2020721; rev:2; metadata:created_at 2015_03_20, updated_at 2020_06_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:3; metadata:created_at 2016_03_30, updated_at 2020_06_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"username"; nocase; http_client_body; fast_pattern; content:"pass"; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)\r\n/Hmi"; classtype:trojan-activity; sid:2025000; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_07, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:51<>150; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/Hmi"; classtype:trojan-activity; sid:2020300; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) alert tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, updated_at 2016_04_14;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022770; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022771; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern:only; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:trojan-activity; sid:2022772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern:only; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:trojan-activity; sid:2022774; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/U"; classtype:trojan-activity; sid:2022500; rev:4; metadata:created_at 2016_02_10, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M1 2016-05-16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:trojan-activity; sid:2025677; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M2 2016-05-16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Email Upgrade"; nocase; fast_pattern; content:"Confirm your account"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:trojan-activity; sid:2025676; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible ReactorBot .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:1; metadata:created_at 2016_05_27, updated_at 2020_02_18;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_08_20;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:1; metadata:created_at 2016_06_09, former_category CURRENT_EVENTS, updated_at 2020_07_14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022895; rev:2; metadata:created_at 2016_06_14, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern:only; content:"campaigns"; http_cookie; classtype:trojan-activity; sid:2022904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;) #alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern:only; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:trojan-activity; sid:2022909; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern:only; content:"document.write("; pcre:"/^[\x22\x27](?! $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_03_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_03_05;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:1; metadata:created_at 2016_07_11, updated_at 2016_07_11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:4; metadata:created_at 2014_02_06, updated_at 2016_07_13;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing Obfuscation 2016-03-17"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; content:"yatutuzebil"; http_cookie; classtype:trojan-activity; sid:2022990; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_02_13;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Mobile Phishing Landing 2016-08-01"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"content=|22|Please verify"; nocase; content:"Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; classtype:trojan-activity; sid:2025670; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023048; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing 2016-08-15"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2023068; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021763; rev:2; metadata:created_at 2015_09_12, updated_at 2016_08_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023072; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing 2016-08-17"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server;file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_08_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Office 365 Phishing Landing 2016-08-24"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; distance:0; within:50; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2025673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_08_19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:2; metadata:created_at 2016_02_29, former_category CURRENT_EVENTS, updated_at 2016_08_26;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_03_05;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish Landing 2016-09-01"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; classtype:trojan-activity; sid:2025684; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2020_07_27;) #alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24] 80 (msg:"ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing 2016-09-02"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:1; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern:only; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:trojan-activity; sid:2023186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family RIG, performance_impact Low, signature_severity Major, updated_at 2016_09_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;) #alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain 2016-08-15"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023276; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023284; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, updated_at 2014_06_13;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:2; metadata:created_at 2014_06_13, updated_at 2020_08_19;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, updated_at 2014_06_13;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern:only; classtype:trojan-activity; sid:2023302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; file_data; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:5; metadata:created_at 2013_05_01, updated_at 2013_05_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"&email="; nocase; http_uri; distance:0; content:"curl="; depth:5; nocase; http_client_body; content:"&flags="; nocase; distance:0; http_client_body; content:"&forcedownlevel="; nocase; distance:0; http_client_body; content:"&formdir="; nocase; distance:0; http_client_body; content:"&trusted="; nocase; distance:0; http_client_body; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&SubmitCreds="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2025002; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_07_29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_29;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:trojan-activity; sid:2022962; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".sys"; classtype:trojan-activity; sid:2021430; rev:2; metadata:created_at 2015_07_15, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2020_08_20;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, signature_severity Major, updated_at 2016_11_02;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023487; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_07_17;) #alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_15;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; classtype:trojan-activity; sid:2025672; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; distance:0; within:50; content:"incoming emails"; nocase; distance:0; within:50; content:"error in your SSL settings"; nocase; distance:0; classtype:trojan-activity; sid:2025687; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023587; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"q="; http_uri; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023401; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_email"; depth:11; nocase; fast_pattern; http_client_body; content:"login_pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2017_01_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; content:"POST"; http_method; content:"form"; nocase; http_client_body; fast_pattern; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"ID="; depth:3; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024573; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_03_05;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2020_08_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern:only; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:trojan-activity; sid:2023743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023744; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:trojan-activity; sid:2023745; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user="; depth:5; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024574; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category CURRENT_EVENTS, tag Phishing, updated_at 2020_08_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user_id="; depth:8; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024575; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category CURRENT_EVENTS, tag Phishing, updated_at 2020_08_03;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern:only; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:trojan-activity; sid:2023547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_09_14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Font_Update.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/Hmi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:trojan-activity; sid:2023817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:2; metadata:created_at 2014_10_03, updated_at 2017_02_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023820; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023821; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023822; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023823; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; classtype:trojan-activity; sid:2023824; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023825; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023826; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023827; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023828; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"login"; depth:5; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024560; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"e-mail="; depth:7; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024566; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; content:"POST"; http_method; content:"feedback="; depth:9; fast_pattern; nocase; http_client_body; content:"&feedback"; nocase; http_client_body; distance:0; content:"&feedback"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; content:"POST"; http_method; content:"Editbox1="; depth:9; nocase; http_client_body; content:"&Editbox2="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024568; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"UserID="; depth:7; nocase; http_client_body; fast_pattern; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024569; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"name"; depth:7; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024570; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; content:"POST"; http_method; content:"uid="; depth:4; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024571; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023829; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern:only; classtype:trojan-activity; sid:2023878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern:only; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:trojan-activity; sid:2023879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023880; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful DHL Phish (Meta HTTP-Equiv Refresh) 2017-02-08"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|publisher|22 20|content=|22|DHL"; fast_pattern:15,20; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; classtype:trojan-activity; sid:2029659; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_08, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_03_19;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M2 Feb 13 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#dob"; nocase; content:".mask"; within:10; content:"#ccexp"; nocase; distance:0; content:".mask"; within:10; content:"#ssn"; nocase; distance:0; content:".mask"; within:10; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; classtype:trojan-activity; sid:2025667; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Secure redirect"; nocase; fast_pattern:2,20; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; classtype:trojan-activity; sid:2025675; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; content:!"sync-eu.exe.bid"; http_header; classtype:trojan-activity; sid:2022894; rev:4; metadata:created_at 2016_06_13, former_category CURRENT_EVENTS, updated_at 2020_03_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022896; rev:4; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:trojan-activity; sid:2024000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_17;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, tag Phishing, updated_at 2017_02_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, tag Phishing, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:trojan-activity; sid:2025688; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Keitaro TDS Redirect"; flow:established,from_server; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; nocase; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/Hs"; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; classtype:bad-unknown; sid:2022466; rev:4; metadata:created_at 2016_01_27, updated_at 2020_03_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/signin"; content:"/signin|0d 0a|"; http_header; fast_pattern; content:"_token="; depth:7; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"|25|40"; nocase; distance:0; http_client_body; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024015; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, tag Phishing, updated_at 2020_02_18;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_02_28;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_02_27;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; classtype:trojan-activity; sid:2025689; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern:33,20; classtype:trojan-activity; sid:2025662; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_04;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:trojan-activity; sid:2024037; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_03_08;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; content:"Content-Disposition|3a|"; nocase; http_header; content:"|43 68 72 ce bf 6d 65|"; nocase; http_header; fast_pattern:only; content:"|66 ce bf 6e 74|"; nocase; http_header; content:"|2e 65 78 65|"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023697; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_03_29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"®istrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024047; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_03_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; content:"QMvXcJ"; http_uri; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_03_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern:5,20; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; classtype:trojan-activity; sid:2025679; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:trojan-activity; sid:2024053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:trojan-activity; sid:2024054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern:only; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:trojan-activity; sid:2024055; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family terror_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:trojan-activity; sid:2024059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_03_29;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024061; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; classtype:trojan-activity; sid:2025664; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern:only; classtype:trojan-activity; sid:2024092; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:trojan-activity; sid:2024093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_03_17;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024100; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024101; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/win.html"; http_uri; fast_pattern:only; pcre:"/\/win\.html$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/Hsi"; content:!"Host|3a 20|www.carrona.org"; classtype:trojan-activity; sid:2021293; rev:2; metadata:created_at 2015_06_18, updated_at 2020_02_21;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:trojan-activity; sid:2017963; rev:3; metadata:created_at 2014_01_13, former_category CURRENT_EVENTS, updated_at 2017_03_29;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018226; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2017_03_29;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2019_04_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024167; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern:only; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Payload Download"; flow:established,to_server; content:"e=cve"; http_uri; fast_pattern:only; pcre:"/[&?]e=cve\d{8}(?:&|$)/U"; pcre:"/=[a-f0-9]{32,}(?:&|$)/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2024180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"gender="; depth:7; nocase; http_client_body; fast_pattern; content:"&name1="; nocase; distance:0; http_client_body; content:"&name2="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024184; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024185; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_05;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024186; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024187; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024188; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:trojan-activity; sid:2024199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:trojan-activity; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; classtype:trojan-activity; sid:2024229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_20;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful OWA Phish Apr 25 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:trojan-activity; sid:2024999; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_05;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; content:!".sophosxl.net"; http_header; content:!"koggames"; http_header; classtype:bad-unknown; sid:2019714; rev:7; metadata:created_at 2014_11_14, updated_at 2020_09_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern:only; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:bad-unknown; sid:2020605; rev:4; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_07;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:trojan-activity; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FAKEIE Minimal Headers (flowbit set)"; flow:to_server,established; content:"GET"; http_method; content:" MSIE "; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+\sMSIE\s[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019344; rev:3; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2020_08_28;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern:only; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:trojan-activity; sid:2025071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"email"; depth:5; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"senha"; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024576; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"signon_form="; depth:12; nocase; http_client_body; content:"trusteeCompatible="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"card-nickname="; nocase; distance:0; http_client_body; fast_pattern; content:"enter_sol="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024326; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024327; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_05_24;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha6="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024328; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"handle="; depth:7; nocase; http_client_body; fast_pattern; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024577; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neverquest/Vawtrak Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/viewforum.php?f="; http_uri; fast_pattern:only; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/U"; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream"; http_header; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:2; metadata:created_at 2014_06_06, former_category CURRENT_EVENTS, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing May 31 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Dropbox"; nocase; content:"Select your email provider"; nocase; fast_pattern:6,20; distance:0; content:"Gmail"; nocase; distance:0; content:"Yahoo"; nocase; distance:0; classtype:trojan-activity; sid:2025661; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; content:"POST"; http_method; content:"password="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; http_client_body; distance:0; content:"|25|40"; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024578; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:trojan-activity; sid:2024343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Terror EK Payload URI T1 Jun 02 2017"; flow:established,to_server; content:"/d/"; http_uri; content:"/?q=r4&"; http_uri; fast_pattern:only; pcre:"/\&e=(?:cve|flash)/Ui"; classtype:trojan-activity; sid:2024344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload URI T1 Jun 02 2017 M2"; flow:established,from_server; content:"Content-Description|3a 20|File Transfer"; http_header; pcre:"/Content-Disposition\x3a[^\r\n]+\.exe-rc4\.exe\r\n/Hi"; content:"ci_session"; http_cookie; content:"Expires|3a 20|0"; http_header; file_data; content:!"MZ"; within:2; classtype:trojan-activity; sid:2024345; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_08_06;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; classtype:trojan-activity; sid:2024346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:trojan-activity; sid:2024347; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Request for Grey Advertising Often Leading to EK"; flow:established,to_server; content:"GET"; http_method; content:"/?&tid="; http_uri; fast_pattern; content:"&red="; http_uri; distance:0; content:"&abt="; http_uri; distance:0; content:"&v="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:trojan-activity; sid:2024350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:trojan-activity; sid:2024353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; classtype:trojan-activity; sid:2024354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; classtype:trojan-activity; sid:2024355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; classtype:trojan-activity; sid:2024356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; classtype:trojan-activity; sid:2024357; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; classtype:trojan-activity; sid:2024358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:trojan-activity; sid:2024359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:trojan-activity; sid:2024360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B643"; flow:established,from_server; file_data; content:"|4e6f636e636f4d7a49334e6a6370|";pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:trojan-activity; sid:2024361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; classtype:trojan-activity; sid:2024362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; classtype:trojan-activity; sid:2024363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; content:"POST"; http_method; content:"id="; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; content:"formimage"; nocase; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024579; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bingo EK Payload Download"; flow:established,to_server; urilen:116; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{114}$/U"; content:"WinHttp.WinHttpRequest.5"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2024367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Bingo, updated_at 2020_03_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; content:"POST"; http_method; content:"/foo-autenticazione.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"pass"; nocase; http_client_body; classtype:trojan-activity; sid:2024370; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"agencia="; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha_eletronica="; nocase; distance:0; http_client_body; fast_pattern; content:"&senha_cartao="; nocase; distance:0; http_client_body; content:"&celular="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern:only; classtype:trojan-activity; sid:2024374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnum="; depth:5; nocase; http_client_body; content:"&exp="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&pin="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nemucod JS Downloader June 12 2017"; flow:established,to_server; pcre:"/\/[A-Za-z0-9]{5,7}\?+[A-Za-z0-9]{6,12}=[A-Za-z0-9]{6,12}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; http_header; depth:29; content:"Firefox/51.0"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2024380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, performance_impact Low, signature_severity Major, tag WS_JS_Downloader, updated_at 2020_03_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017"; flow:established,to_server; urilen:>90; content:"/?"; http_uri; depth:2; content:"=x"; fast_pattern; http_uri; pcre:"/=x[HX3][^&]Q[cdM][^&]{3}[ab]R/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_03_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect"; classtype:trojan-activity; sid:2018303; rev:2; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Dropbox - Sign in"; classtype:bad-unknown; sid:2020332; rev:2; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Chase Online - Identification"; fast_pattern:24,20; nocase; classtype:bad-unknown; sid:2025674; rev:2; metadata:created_at 2015_12_01, former_category CURRENT_EVENTS, updated_at 2018_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Google Docs"; nocase; classtype:bad-unknown; sid:2024386; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Docusign"; nocase; classtype:bad-unknown; sid:2024387; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Meet Google Drive - One Place For All Your Files"; nocase; classtype:bad-unknown; sid:2024388; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Alibaba |3b|Manufacturer |3b|Directory"; nocase; classtype:bad-unknown; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; classtype:bad-unknown; sid:2024393; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun"; nocase; classtype:bad-unknown; sid:2024394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Outlook Web Access"; nocase; classtype:bad-unknown; sid:2024395; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Outlook Web App"; nocase; classtype:bad-unknown; sid:2024396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Facebook Help Center"; nocase; classtype:bad-unknown; sid:2024397; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Adobe PDF"; nocase; classtype:bad-unknown; sid:2024399; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"DHL |7c| Tracking"; nocase; classtype:bad-unknown; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Sign In - Adobe ID"; nocase; classtype:bad-unknown; sid:2024401; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; content:!"Server|3a 20|YTS"; http_header; file_data; content:"Yahoo! Mail"; fast_pattern; nocase; classtype:bad-unknown; sid:2024398; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; content:!"Server|3a 20|YTS"; http_header; file_data; content:"<title>Yahoo - login"; fast_pattern; nocase; classtype:bad-unknown; sid:2024390; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_19;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; content:"Content-Length|3a 20|8|0d 0a|"; http_header; fast_pattern; file_data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; isdataat:!1,relative; classtype:trojan-activity; sid:2024414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, updated_at 2020_09_14;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:1; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern:only; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Mobile Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; nocase; content:"|26 23|67|3b 26 23|104|3b 26 23|97|3b 26 23|115|3b 26 23|101|3b 26 23|32|3b 26 23|66|3b 26 23|97|3b 26 23|110|3b 26 23|107|3b|"; within:70; fast_pattern:34,20; content:""; distance:0; classtype:trojan-activity; sid:2025691; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"b2="; depth:3; nocase; http_client_body; content:"&b1="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024580; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; content:".hta"; fast_pattern:only; http_uri; pcre:"/\.hta(?:[?&]|$)/Ui"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, updated_at 2020_03_04;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"id="; depth:3; nocase; http_client_body; content:"&pd="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024581; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Capitec Internet Banking"; nocase; classtype:bad-unknown; sid:2024453; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; content:"POST"; http_method; content:"IDToken"; depth:7; nocase; http_client_body; content:"&IDToken"; nocase; http_client_body; distance:0; fast_pattern; content:"&IDToken"; nocase; http_client_body; distance:0; content:"&IDToken"; nocase; http_client_body; distance:0; content:"&IDToken"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024582; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish - Credit Card"; flow:established,to_server; content:"POST"; http_method; content:"ccnum"; http_client_body; fast_pattern; content:"&exp"; distance:0; http_client_body; content:"&cvv"; distance:0; http_client_body; classtype:trojan-activity; sid:2021692; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; content:"POST"; http_method; content:"q1="; http_client_body; content:"&answer1="; distance:0; http_client_body; fast_pattern; content:"&q2="; http_client_body; distance:0; content:"&answer2="; distance:0; http_client_body; content:"&q3="; distance:0; http_client_body; content:"&answer3="; distance:0; http_client_body; classtype:trojan-activity; sid:2021693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023063; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023064; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"firstName="; depth:10; nocase; http_client_body; content:"&lastName="; nocase; distance:0; http_client_body; content:"&cardNumber="; nocase; distance:0; http_client_body; content:"&expirationMonth="; nocase; distance:0; http_client_body; content:"&expirationYear="; nocase; distance:0; http_client_body; content:"&securityCode="; nocase; distance:0; http_client_body; fast_pattern; content:"&SubmitButton="; nocase; distance:0; http_client_body; content:"&msg_agree="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023488; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_08;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"sitedomain="; depth:11; http_client_body; content:"&isSiteStateEncoded="; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:2021322; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/hotmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017753; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"&_task=login&_action=login"; http_client_body; nocase; classtype:bad-unknown; sid:2021324; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Adobe Phish Jun 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"username="; depth:9; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; http_client_body; distance:0; content:"&vi="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2021296; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Google Drive Phish June 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"email="; depth:6; http_client_body; nocase; content:"&pswd="; http_client_body; distance:0; nocase; fast_pattern; content:"&Button1="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2021297; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Dropbox Phish June 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"server="; depth:7; nocase; http_client_body; fast_pattern; content:"&username="; nocase; http_client_body; distance:0; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2021298; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:bad-unknown; sid:2024392; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"username="; depth:9; http_client_body; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025021; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025022; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"access1="; depth:8; nocase; http_client_body; fast_pattern; content:"&next.x="; nocase; distance:0; http_client_body; content:"&next.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025023; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"access2="; depth:8; nocase; http_client_body; fast_pattern; content:"&formimage1.x="; nocase; distance:0; http_client_body; content:"&formimage1.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025024; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"email="; depth:6; nocase; http_client_body; content:"&emailpass="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025025; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:trojan-activity; sid:2024494; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022484; rev:2; metadata:created_at 2016_02_02, former_category CURRENT_EVENTS, updated_at 2017_08_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:trojan-activity; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; pcre:"/\/[A-Za-z0-9]{5,9}\?+[A-Za-z0-9]{6,12}=[A-Za-z0-9]{6,12}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; http_header; depth:29; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; http_header; fast_pattern:30,20; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, signature_severity Major, updated_at 2020_03_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; classtype:trojan-activity; sid:2024493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"//configure destination URL"; nocase; fast_pattern:7,20; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:trojan-activity; sid:2029660; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; classtype:trojan-activity; sid:2024514; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:trojan-activity; sid:2024515; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"UID_input="; depth:10; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; classtype:trojan-activity; sid:2024535; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; classtype:trojan-activity; sid:2024536; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; classtype:trojan-activity; sid:2024537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; classtype:trojan-activity; sid:2024538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; classtype:trojan-activity; sid:2024539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:trojan-activity; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"address_1="; depth:10; nocase; http_client_body; fast_pattern; content:"&address_2="; nocase; distance:0; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&state="; nocase; distance:0; http_client_body; content:"&postal="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&number_1="; nocase; distance:0; http_client_body; content:"&number_2="; nocase; distance:0; http_client_body; content:"&number_3="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024546; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_14;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"conf.v.xunlei.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:7; metadata:created_at 2014_02_01, updated_at 2020_03_06;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Square Phish Nov 16 2015"; flow:to_server,established; content:"POST"; http_method; content:"cmd=_identifier_Demarrer_ID="; http_header; nocase; fast_pattern:8,20; content:"&submit.x="; nocase; http_client_body; content:"&submit.y="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2024547; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Scriptlet Invoking Powershell Likely Malicious"; flow:established,from_server; file_data; content:"WScript.shell"; nocase; fast_pattern:only; content:"ActiveXObject"; nocase; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; distance:0; pcre:"/^.{1,1000}p(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?o(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?w(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?r(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?s(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?h(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l/Rsi"; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024549; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2020_08_19;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M1"; flow:established,to_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:".sct"; http_uri; nocase; fast_pattern:only; pcre:"/\.sct$/Ui"; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024550; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell_Downloader, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/scriptlet"; http_header; nocase; fast_pattern:only; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024551; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP M3"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Disposition|3a 20|"; nocase; http_header; content:".sct"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\.sct[\x22\x27\s\r\n]/Hmi"; fast_pattern:only; classtype:trojan-activity; sid:2024552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&cn1="; nocase; distance:0; http_client_body; content:"&cn2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"cc="; depth:3; nocase; http_client_body; content:"&pin="; nocase; distance:0; http_client_body; content:"&ccin="; nocase; distance:0; http_client_body; fast_pattern; content:"&mmn="; nocase; distance:0; http_client_body; content:"&ssn1="; nocase; distance:0; http_client_body; content:"&ssn2="; nocase; distance:0; http_client_body; content:"&ssn3="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Credit Card Information Phish"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; fast_pattern; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:trojan-activity; sid:2015907; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Generic PII Phish"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; fast_pattern; content:"&dob3="; http_client_body; classtype:trojan-activity; sid:2015908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic SSN Phish"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; fast_pattern; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"User-Agent|3a 20|LabTech Agent"; http_header; classtype:trojan-activity; sid:2015952; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:policy-violation; sid:2025683; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017750; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:policy-violation; sid:2021400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:trojan-activity; sid:2021761; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021537; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern:10,20; classtype:trojan-activity; sid:2021538; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021539; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021540; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern:6,20; classtype:trojan-activity; sid:2017135; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/gmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:trojan-activity; sid:2017752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:trojan-activity; sid:2015912; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:trojan-activity; sid:2015913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:trojan-activity; sid:2017754; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:trojan-activity; sid:2015914; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:trojan-activity; sid:2015911; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Nov 24 2014"; flow:established,to_server; content:"_bkid="; http_client_body; content:"_bkpass="; http_client_body; fast_pattern:only; content:"_accn="; http_client_body; classtype:bad-unknown; sid:2019784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Paypal Phish Nov 24 2014 "; flow:established,to_server; content:"_fulln="; http_client_body; fast_pattern:only; content:"_ccn="; http_client_body; content:"_ccv="; http_client_body; classtype:bad-unknown; sid:2019783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful PayPal Phish Nov 24 2014"; flow:established,to_server; content:"_fn="; http_client_body; content:"_ln="; http_client_body; content:"_birthd="; http_client_body; fast_pattern:only; classtype:bad-unknown; sid:2019782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2019_10_07;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:".tries="; http_client_body; nocase; depth:7; content:"&.challenge="; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:2021323; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Interac Phish Aug 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"fiId="; depth:5; nocase; http_client_body; content:"&cuId="; nocase; distance:0; http_client_body; content:"&hiddenFiLabel="; nocase; distance:0; http_client_body; content:"&hiddenCuLabel="; nocase; distance:0; http_client_body; content:"&isMobileBrowser="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&paymentRefNum="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"xxx="; depth:4; nocase; http_client_body; content:"&yyy="; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2017_08_22;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hancitor/Tordal Document Request"; flow:established,to_server; content:"GET"; http_method; content:".php?d="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Cookie"; pcre:"/\.php\?d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; flowbits:set,ET.Hancitor; flowbits:noalert; classtype:trojan-activity; sid:2024604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_03_04;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hancitor/Tordal Document Inbound"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/msword|3b|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:".doc"; distance:0; http_header; file_data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; flowbits:isset,ET.Hancitor; classtype:trojan-activity; sid:2024605; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; content:".php"; offset:38; depth:4; http_uri; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/U"; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024606; rev:1; metadata:created_at 2017_08_23, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; content:"/test.mp3"; offset:25; depth:9; http_uri; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/U"; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024607; rev:1; metadata:created_at 2017_08_23, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024608; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:trojan-activity; sid:2024609; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:trojan-activity; sid:2024610; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:trojan-activity; sid:2024611; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Landing Aug 23 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0;within:75; flowbits:isset,ET.DisDain.EK; classtype:trojan-activity; sid:2024612; rev:1; metadata:created_at 2017_08_23, updated_at 2020_08_11;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"e="; depth:2; nocase; http_client_body; content:"&p="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://poloniex.com"; http_header; fast_pattern; classtype:trojan-activity; sid:2024617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://exmo.com"; http_header; fast_pattern; classtype:trojan-activity; sid:2024618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://paxful.com"; http_header; classtype:trojan-activity; sid:2024621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking"; nocase; classtype:bad-unknown; sid:2024622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Pin and Password - NWOLB"; nocase; classtype:bad-unknown; sid:2024623; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Security Details - NWOLB"; nocase; classtype:bad-unknown; sid:2024624; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"csrfmiddlewaretoken="; nocase; http_uri; distance:0; content:"username="; nocase; http_uri; content:"&password="; nocase; http_uri; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024638; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://localbitcoins.com"; http_header; classtype:trojan-activity; sid:2024640; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; classtype:trojan-activity; sid:2024650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Significant, signature_severity Major, updated_at 2019_05_28;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Dropbox - Verify Email"; fast_pattern; classtype:trojan-activity; sid:2024656; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern:only; content:").)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern:only; content:").)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2017_09_07;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit HFS Actor"; flow:established,from_server; content:"Server|3a 20|HFS"; http_header; file_data; content:"triggerBug"; nocase; fast_pattern; content:"exploit"; nocase; content:"intToStr"; nocase; content:"strToInt"; nocase; classtype:trojan-activity; sid:2024677; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2020_08_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; content:!"Cookie|3a|"; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern:53,20; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*