# Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2020, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Loading...
"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_23, updated_at 2010_11_23;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3; metadata:created_at 2011_02_22, updated_at 2011_02_22;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:2; metadata:created_at 2011_03_17, former_category CURRENT_EVENTS, updated_at 2011_03_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"MWL"; classtype:bad-unknown; sid:2012530; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_31, updated_at 2011_03_31;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:""; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3; metadata:created_at 2011_04_04, updated_at 2011_04_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2; metadata:created_at 2011_04_13, updated_at 2011_04_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2; metadata:created_at 2011_04_28, updated_at 2011_04_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2; metadata:created_at 2011_04_28, updated_at 2011_04_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\">"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|
\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|>"; fast_pattern; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_27, updated_at 2011_05_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:trojan-activity; sid:2013661; rev:2; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013697; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013698; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:3; metadata:created_at 2011_12_02, updated_at 2011_12_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:3; metadata:created_at 2011_12_02, updated_at 2011_12_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:bad-unknown; sid:2014025; rev:1; metadata:created_at 2011_12_12, former_category EXPLOIT_KIT, updated_at 2011_12_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:bad-unknown; sid:2014027; rev:2; metadata:created_at 2011_12_12, former_category CURRENT_EVENTS, updated_at 2011_12_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:trojan-activity; sid:2014031; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:trojan-activity; sid:2014032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:trojan-activity; sid:2014033; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:trojan-activity; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_19, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013775; rev:2; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013777; rev:2; metadata:created_at 2011_10_13, former_category EXPLOIT_KIT, updated_at 2011_10_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2010_10_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013690; rev:3; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013691; rev:3; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013692; rev:3; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013693; rev:7; metadata:created_at 2011_09_23, former_category EXPLOIT_KIT, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2011988; rev:5; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:""; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:7; metadata:created_at 2012_12_03, updated_at 2012_12_03;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"
"; classtype:bad-unknown; sid:2016191; rev:6; metadata:created_at 2013_01_11, former_category EXPLOIT_KIT, updated_at 2013_01_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:2; metadata:created_at 2013_01_15, former_category EXPLOIT_KIT, updated_at 2020_04_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:5; metadata:created_at 2013_01_18, former_category EXPLOIT_KIT, updated_at 2013_01_18;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:6; metadata:created_at 2013_01_21, updated_at 2013_01_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:6; metadata:created_at 2013_01_21, updated_at 2020_04_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:2; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:2; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2013_01_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:2; metadata:created_at 2013_01_23, former_category EXPLOIT_KIT, updated_at 2020_04_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:2; metadata:created_at 2013_01_24, updated_at 2020_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:4; metadata:created_at 2013_01_28, updated_at 2013_01_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:4; metadata:created_at 2013_01_28, updated_at 2013_01_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:6; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2013_01_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:").)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:3; metadata:created_at 2012_10_31, former_category EXPLOIT_KIT, updated_at 2012_10_31;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2; metadata:created_at 2013_02_06, former_category EXPLOIT_KIT, updated_at 2013_02_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:2; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:3; metadata:created_at 2013_02_14, updated_at 2020_04_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:3; metadata:created_at 2013_02_14, updated_at 2020_04_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:8; metadata:created_at 2013_02_25, updated_at 2013_02_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:4; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2013_01_31;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:3; metadata:created_at 2013_03_05, updated_at 2020_04_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:4; metadata:created_at 2013_03_08, updated_at 2013_03_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:6; metadata:created_at 2013_03_15, former_category EXPLOIT_KIT, updated_at 2013_03_15;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:").)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:5; metadata:created_at 2013_03_21, updated_at 2013_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"visited=TRUE|3b| mutex="; http_cookie; depth:20; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014408; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_04_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2013_04_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_18, updated_at 2013_03_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:2; metadata:created_at 2013_04_08, former_category EXPLOIT_KIT, updated_at 2013_04_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:""; within:100; classtype:attempted-user; sid:2012624; rev:5; metadata:created_at 2011_04_02, updated_at 2011_04_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:3; metadata:created_at 2012_12_17, updated_at 2020_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:5; metadata:created_at 2012_12_20, updated_at 2012_12_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:2; metadata:created_at 2013_04_22, updated_at 2013_04_22;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:3; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:3; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:7; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_26, updated_at 2012_10_26;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:4; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:5; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:4; metadata:created_at 2012_12_27, former_category EXPLOIT_KIT, updated_at 2012_12_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, updated_at 2013_05_07;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:3; metadata:created_at 2013_05_07, updated_at 2013_05_07;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:3; metadata:created_at 2013_05_15, updated_at 2013_05_15;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:11; metadata:created_at 2012_08_03, former_category EXPLOIT_KIT, updated_at 2012_08_03;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:2; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:6; metadata:created_at 2013_04_26, updated_at 2013_04_26;) #alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"
]*?>((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_01, updated_at 2010_10_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:5; metadata:created_at 2013_02_06, former_category CURRENT_EVENTS, updated_at 2013_02_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7; metadata:created_at 2013_06_03, updated_at 2013_06_03;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015724; rev:10; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:5; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:2; metadata:created_at 2013_06_21, former_category EXPLOIT_KIT, updated_at 2013_06_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:trojan-activity; sid:2017020; rev:10; metadata:created_at 2013_06_14, updated_at 2013_06_14;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:trojan-activity; sid:2021034; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:3; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:2; metadata:created_at 2015_05_04, former_category EXPLOIT_KIT, updated_at 2015_05_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_14, updated_at 2015_04_14;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:4; metadata:created_at 2013_06_17, former_category CURRENT_EVENTS, updated_at 2013_06_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, updated_at 2015_05_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:""; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22||22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, updated_at 2010_11_24;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, updated_at 2011_03_15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"NACHA"; classtype:bad-unknown; sid:2013474; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, updated_at 2011_08_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, updated_at 2011_08_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, updated_at 2011_09_16;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"< $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6; metadata:created_at 2011_12_08, updated_at 2011_12_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\">"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, updated_at 2011_12_22;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:bad-unknown; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:bad-unknown; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; depth:2; classtype:attempted-user; sid:2014314; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_06_09;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"< $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:bad-unknown; sid:2014526; rev:3; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2012_04_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:bad-unknown; sid:2014549; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6; metadata:created_at 2012_04_13, updated_at 2012_04_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5; metadata:created_at 2012_04_16, former_category CURRENT_EVENTS, updated_at 2012_04_16;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10; metadata:created_at 2012_04_17, updated_at 2012_04_17;) #alert http $HOME_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9; metadata:created_at 2012_04_17, updated_at 2012_04_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:trojan-activity; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_21, updated_at 2012_06_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, updated_at 2012_06_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, updated_at 2012_07_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:trojan-activity; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_17, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"|0d 0a||0d 0a||0d 0a||0d 0a|"; distance:0; classtype:trojan-activity; sid:2013699; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6; metadata:created_at 2011_12_22, updated_at 2011_12_22;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8; metadata:created_at 2011_03_15, updated_at 2011_03_15;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2022290; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:!"smartsvn.com"; http_header; file_data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017181; rev:6; metadata:created_at 2013_07_23, updated_at 2020_06_16;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:trojan-activity; sid:2022312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:trojan-activity; sid:2022313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:trojan-activity; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:2; metadata:created_at 2016_01_06, former_category CURRENT_EVENTS, updated_at 2016_01_06;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:4; metadata:created_at 2016_01_06, former_category CURRENT_EVENTS, updated_at 2016_01_06;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1; metadata:created_at 2016_01_11, former_category COINMINER, updated_at 2016_01_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016952; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:trojan-activity; sid:2017649; rev:6; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017648; rev:7; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017706; rev:6; metadata:created_at 2013_11_12, former_category CURRENT_EVENTS, updated_at 2013_11_12;) #alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:trojan-activity; sid:2019544; rev:6; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;) #alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2019752; rev:9; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:5; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_14, updated_at 2014_02_14;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_18, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2; metadata:created_at 2016_03_24, updated_at 2016_03_24;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; content:"/index.php?"; http_uri; depth:11; content:"=l3S"; fast_pattern; http_uri; offset:26; depth:4; content:"/?"; http_header; content:"=l3S"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2020721; rev:3; metadata:created_at 2015_03_20, updated_at 2020_06_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020300; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; content:"Cookie|3a| visited=TRUE"; http_header; content:"Cookie|3a| mutex="; http_raw_header; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014407; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_21, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_06_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:bad-unknown; sid:2014438; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) alert tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, updated_at 2016_04_14;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M1 2016-05-16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Mail Settings"; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:trojan-activity; sid:2025677; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Update Phishing Landing M2 2016-05-16"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Email Upgrade"; nocase; fast_pattern; content:"Confirm your account"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:trojan-activity; sid:2025676; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_08_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:2; metadata:created_at 2016_06_09, former_category CURRENT_EVENTS, updated_at 2020_07_14;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;) #alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:2; metadata:created_at 2016_07_11, updated_at 2016_07_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_06, updated_at 2016_07_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing Obfuscation 2016-03-17"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Wells Fargo Mobile Phishing Landing 2016-08-01"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"content=|22|Please verify"; nocase; content:"Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; classtype:trojan-activity; sid:2025670; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing 2016-08-15"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021763; rev:3; metadata:created_at 2015_09_12, updated_at 2016_08_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023072; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing 2016-08-17"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_08_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Office 365 Phishing Landing 2016-08-24"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; distance:0; within:50; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2025673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_08_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:3; metadata:created_at 2016_02_29, former_category CURRENT_EVENTS, updated_at 2016_08_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish Landing 2016-09-01"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; classtype:trojan-activity; sid:2025684; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2020_07_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing 2016-09-02"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family RIG, performance_impact Low, signature_severity Major, updated_at 2016_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;) #alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain 2016-08-15"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023272; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023274; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023276; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023284; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, updated_at 2014_06_13;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:2; metadata:created_at 2014_06_13, updated_at 2020_08_19;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, updated_at 2014_06_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_01, updated_at 2013_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"&email="; nocase; http_uri; distance:0; content:"curl="; depth:5; nocase; http_client_body; content:"&flags="; nocase; distance:0; http_client_body; content:"&forcedownlevel="; nocase; distance:0; http_client_body; content:"&formdir="; nocase; distance:0; http_client_body; content:"&trusted="; nocase; distance:0; http_client_body; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&SubmitCreds="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2025002; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_07_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2020_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, signature_severity Major, updated_at 2016_11_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023487; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_07_17;) #alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_15;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; classtype:trojan-activity; sid:2025672; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; distance:0; within:50; content:"incoming emails"; nocase; distance:0; within:50; content:"error in your SSL settings"; nocase; distance:0; classtype:trojan-activity; sid:2025687; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_email"; depth:11; nocase; fast_pattern; http_client_body; content:"login_pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024572; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2017_01_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; content:"POST"; http_method; content:"form"; nocase; http_client_body; fast_pattern; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; content:"&form"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024565; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"ID="; depth:3; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024573; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user="; depth:5; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024574; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category CURRENT_EVENTS, tag Phishing, updated_at 2020_08_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"user_id="; depth:8; nocase; fast_pattern; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024575; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category CURRENT_EVENTS, tag Phishing, updated_at 2020_08_03;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, signature_severity Major, tag Phishing, updated_at 2020_08_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_09_14;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3; metadata:created_at 2014_10_03, updated_at 2017_02_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"login"; depth:5; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024560; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"e-mail="; depth:7; fast_pattern; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024566; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; content:"POST"; http_method; content:"feedback="; depth:9; fast_pattern; nocase; http_client_body; content:"&feedback"; nocase; http_client_body; distance:0; content:"&feedback"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024567; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; content:"POST"; http_method; content:"Editbox1="; depth:9; nocase; http_client_body; content:"&Editbox2="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024568; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"UserID="; depth:7; nocase; http_client_body; fast_pattern; content:"&Pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024569; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"name"; depth:7; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024570; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; content:"POST"; http_method; content:"uid="; depth:4; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024571; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M2 Feb 13 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#dob"; nocase; content:".mask"; within:10; content:"#ccexp"; nocase; distance:0; content:".mask"; within:10; content:"#ssn"; nocase; distance:0; content:".mask"; within:10; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; classtype:trojan-activity; sid:2025667; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Secure redirect"; nocase; fast_pattern:2,20; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; classtype:trojan-activity; sid:2025675; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:trojan-activity; sid:2024000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, tag Phishing, updated_at 2017_02_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, tag Phishing, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:trojan-activity; sid:2025688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_02_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; classtype:trojan-activity; sid:2025689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern:33,20; classtype:trojan-activity; sid:2025662; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_04;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:trojan-activity; sid:2024037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_03_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:3; metadata:created_at 2012_05_23, former_category CURRENT_EVENTS, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023697; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_03_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"®istrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern:5,20; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; classtype:trojan-activity; sid:2025679; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024051; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:trojan-activity; sid:2024053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:trojan-activity; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:trojan-activity; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_03_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; classtype:trojan-activity; sid:2025664; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:trojan-activity; sid:2024093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_03_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024100; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024101; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:trojan-activity; sid:2017963; rev:3; metadata:created_at 2014_01_13, former_category CURRENT_EVENTS, updated_at 2017_03_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018226; rev:3; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2017_03_29;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2019_04_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024185; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_05;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_07;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:trojan-activity; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:3; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; classtype:trojan-activity; sid:2024229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_20;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_04_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful OWA Phish Apr 25 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:trojan-activity; sid:2024999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:trojan-activity; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"email"; depth:5; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"senha"; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024576; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"signon_form="; depth:12; nocase; http_client_body; content:"trusteeCompatible="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"card-nickname="; nocase; distance:0; http_client_body; fast_pattern; content:"enter_sol="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024326; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_05_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha6="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024328; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha8="; nocase; distance:0; http_client_body; fast_pattern; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024329; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"handle="; depth:7; nocase; http_client_body; fast_pattern; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024577; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing May 31 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Dropbox"; nocase; content:"Select your email provider"; nocase; fast_pattern:6,20; distance:0; content:"Gmail"; nocase; distance:0; content:"Yahoo"; nocase; distance:0; classtype:trojan-activity; sid:2025661; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; content:"POST"; http_method; content:"password="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; http_client_body; distance:0; content:"|25|40"; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024578; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:trojan-activity; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload URI T1 Jun 02 2017 M2"; flow:established,from_server; content:"Content-Description|3a 20|File Transfer"; http_header; pcre:"/Content-Disposition\x3a[^\r\n]+\.exe-rc4\.exe\r\n/Hi"; content:"ci_session"; http_cookie; content:"Expires|3a 20|0"; http_header; file_data; content:!"MZ"; within:2; classtype:trojan-activity; sid:2024345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_08_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; classtype:trojan-activity; sid:2024346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:trojan-activity; sid:2024347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Request for Grey Advertising Often Leading to EK"; flow:established,to_server; content:"GET"; http_method; content:"/?&tid="; http_uri; fast_pattern; content:"&red="; http_uri; distance:0; content:"&abt="; http_uri; distance:0; content:"&v="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:trojan-activity; sid:2024350; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:trojan-activity; sid:2024353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; classtype:trojan-activity; sid:2024354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; classtype:trojan-activity; sid:2024355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; classtype:trojan-activity; sid:2024356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; classtype:trojan-activity; sid:2024357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; classtype:trojan-activity; sid:2024358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:trojan-activity; sid:2024359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:trojan-activity; sid:2024360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M3 B643"; flow:established,from_server; file_data; content:"|4e6f636e636f4d7a49334e6a6370|";pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:trojan-activity; sid:2024361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; classtype:trojan-activity; sid:2024362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; classtype:trojan-activity; sid:2024363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; content:"POST"; http_method; content:"id="; nocase; http_client_body; content:"&Pass"; nocase; http_client_body; distance:0; content:"formimage"; nocase; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024579; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"agencia="; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&senha_eletronica="; nocase; distance:0; http_client_body; fast_pattern; content:"&senha_cartao="; nocase; distance:0; http_client_body; content:"&celular="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; content:"POST"; http_method; content:"/foo-autenticazione.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"pass"; nocase; http_client_body; classtype:trojan-activity; sid:2024370; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnum="; depth:5; nocase; http_client_body; content:"&exp="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&pin="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024377; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect"; classtype:trojan-activity; sid:2018303; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Dropbox - Sign in"; classtype:bad-unknown; sid:2020332; rev:3; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Chase Online - Identification"; fast_pattern:24,20; nocase; classtype:bad-unknown; sid:2025674; rev:3; metadata:created_at 2015_12_01, former_category CURRENT_EVENTS, updated_at 2018_07_12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Google Docs"; nocase; classtype:bad-unknown; sid:2024386; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Docusign"; nocase; classtype:bad-unknown; sid:2024387; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Meet Google Drive - One Place For All Your Files"; nocase; classtype:bad-unknown; sid:2024388; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Alibaba |3b|Manufacturer |3b|Directory"; nocase; classtype:bad-unknown; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; content:!"Server|3a 20|YTS"; http_header; file_data; content:"<title>Yahoo - login"; fast_pattern; nocase; classtype:bad-unknown; sid:2024390; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; classtype:bad-unknown; sid:2024393; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun"; nocase; classtype:bad-unknown; sid:2024394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Outlook Web Access"; nocase; classtype:bad-unknown; sid:2024395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Outlook Web App"; nocase; classtype:bad-unknown; sid:2024396; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Facebook Help Center"; nocase; classtype:bad-unknown; sid:2024397; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; content:!"Server|3a 20|YTS"; http_header; file_data; content:"Yahoo! Mail"; fast_pattern; nocase; classtype:bad-unknown; sid:2024398; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe PDF"; nocase; classtype:bad-unknown; sid:2024399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"DHL |7c| Tracking"; nocase; classtype:bad-unknown; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Sign In - Adobe ID"; nocase; classtype:bad-unknown; sid:2024401; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; content:"Content-Length|3a 20|8|0d 0a|"; http_header; fast_pattern; file_data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; isdataat:!1,relative; classtype:trojan-activity; sid:2024414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, updated_at 2020_09_14;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:2; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Mobile Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:""; nocase; content:"|26 23|67|3b 26 23|104|3b 26 23|97|3b 26 23|115|3b 26 23|101|3b 26 23|32|3b 26 23|66|3b 26 23|97|3b 26 23|110|3b 26 23|107|3b|"; within:70; fast_pattern:34,20; content:""; distance:0; classtype:trojan-activity; sid:2025691; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"b2="; depth:3; nocase; http_client_body; content:"&b1="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024580; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"id="; depth:3; nocase; http_client_body; content:"&pd="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024581; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Capitec Internet Banking"; nocase; classtype:bad-unknown; sid:2024453; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; content:"POST"; http_method; content:"IDToken"; depth:7; nocase; http_client_body; content:"&IDToken"; nocase; http_client_body; distance:0; fast_pattern; content:"&IDToken"; nocase; http_client_body; distance:0; content:"&IDToken"; nocase; http_client_body; distance:0; content:"&IDToken"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish - Credit Card"; flow:established,to_server; content:"POST"; http_method; content:"ccnum"; http_client_body; fast_pattern; content:"&exp"; distance:0; http_client_body; content:"&cvv"; distance:0; http_client_body; classtype:trojan-activity; sid:2021692; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; content:"POST"; http_method; content:"q1="; http_client_body; content:"&answer1="; distance:0; http_client_body; fast_pattern; content:"&q2="; http_client_body; distance:0; content:"&answer2="; distance:0; http_client_body; content:"&q3="; distance:0; http_client_body; content:"&answer3="; distance:0; http_client_body; classtype:trojan-activity; sid:2021693; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2017_02_09;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023061; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"firstName="; depth:10; nocase; http_client_body; content:"&lastName="; nocase; distance:0; http_client_body; content:"&cardNumber="; nocase; distance:0; http_client_body; content:"&expirationMonth="; nocase; distance:0; http_client_body; content:"&expirationYear="; nocase; distance:0; http_client_body; content:"&securityCode="; nocase; distance:0; http_client_body; fast_pattern; content:"&SubmitButton="; nocase; distance:0; http_client_body; content:"&msg_agree="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"sitedomain="; depth:11; http_client_body; content:"&isSiteStateEncoded="; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:2021322; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/hotmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017753; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"&_task=login&_action=login"; http_client_body; nocase; classtype:bad-unknown; sid:2021324; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Adobe Phish Jun 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"username="; depth:9; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; http_client_body; distance:0; content:"&vi="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2021296; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Drive Phish June 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"email="; depth:6; nocase; http_client_body; content:"&pswd="; nocase; http_client_body; distance:0; fast_pattern; content:"&Button1="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2021297; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Dropbox Phish June 17 2015"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"server="; depth:7; nocase; http_client_body; fast_pattern; content:"&username="; nocase; http_client_body; distance:0; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2021298; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:bad-unknown; sid:2024392; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"username="; depth:9; http_client_body; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025021; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025022; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"access1="; depth:8; nocase; http_client_body; fast_pattern; content:"&next.x="; nocase; distance:0; http_client_body; content:"&next.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025023; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"access2="; depth:8; nocase; http_client_body; fast_pattern; content:"&formimage1.x="; nocase; distance:0; http_client_body; content:"&formimage1.y="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025024; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"email="; depth:6; nocase; http_client_body; content:"&emailpass="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; classtype:trojan-activity; sid:2025025; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:trojan-activity; sid:2024494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022484; rev:3; metadata:created_at 2016_02_02, former_category CURRENT_EVENTS, updated_at 2017_08_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:trojan-activity; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; classtype:trojan-activity; sid:2024493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"//configure destination URL"; nocase; fast_pattern:7,20; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:trojan-activity; sid:2029660; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; classtype:trojan-activity; sid:2024514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:trojan-activity; sid:2024515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; content:"POST"; http_method; content:"UID_input="; depth:10; nocase; http_client_body; fast_pattern; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; classtype:trojan-activity; sid:2024535; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; classtype:trojan-activity; sid:2024536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; classtype:trojan-activity; sid:2024537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; classtype:trojan-activity; sid:2024538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; classtype:trojan-activity; sid:2024539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:trojan-activity; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"address_1="; depth:10; nocase; http_client_body; fast_pattern; content:"&address_2="; nocase; distance:0; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&state="; nocase; distance:0; http_client_body; content:"&postal="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&number_1="; nocase; distance:0; http_client_body; content:"&number_2="; nocase; distance:0; http_client_body; content:"&number_3="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024545; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Square Phish Nov 16 2015"; flow:to_server,established; content:"POST"; http_method; content:"cmd=_identifier_Demarrer_ID="; http_header; nocase; fast_pattern:8,20; content:"&submit.x="; nocase; http_client_body; content:"&submit.y="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2024547; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&cn1="; nocase; distance:0; http_client_body; content:"&cn2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024586; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"cc="; depth:3; nocase; http_client_body; content:"&pin="; nocase; distance:0; http_client_body; content:"&ccin="; nocase; distance:0; http_client_body; fast_pattern; content:"&mmn="; nocase; distance:0; http_client_body; content:"&ssn1="; nocase; distance:0; http_client_body; content:"&ssn2="; nocase; distance:0; http_client_body; content:"&ssn3="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024587; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Credit Card Information Phish"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; fast_pattern; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:trojan-activity; sid:2015907; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic PII Phish"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; fast_pattern; content:"&dob3="; http_client_body; classtype:trojan-activity; sid:2015908; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic SSN Phish"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; fast_pattern; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"LabTech Agent"; http_user_agent; classtype:trojan-activity; sid:2015952; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:policy-violation; sid:2025683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017750; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:policy-violation; sid:2021400; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:trojan-activity; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021537; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern:10,20; classtype:trojan-activity; sid:2021538; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021539; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021540; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern:6,20; classtype:trojan-activity; sid:2017135; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/gmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:trojan-activity; sid:2017752; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:trojan-activity; sid:2015912; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:trojan-activity; sid:2015913; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:trojan-activity; sid:2017754; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:trojan-activity; sid:2015914; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017751; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:trojan-activity; sid:2015911; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:".tries="; http_client_body; nocase; depth:7; content:"&.challenge="; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:2021323; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Interac Phish Aug 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"fiId="; depth:5; nocase; http_client_body; content:"&cuId="; nocase; distance:0; http_client_body; content:"&hiddenFiLabel="; nocase; distance:0; http_client_body; content:"&hiddenCuLabel="; nocase; distance:0; http_client_body; content:"&isMobileBrowser="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&paymentRefNum="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024599; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"xxx="; depth:4; nocase; http_client_body; content:"&yyy="; nocase; http_client_body; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025027; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2017_08_22;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hancitor/Tordal Document Inbound"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/msword|3b|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:".doc"; distance:0; http_header; file_data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; flowbits:isset,ET.Hancitor; classtype:trojan-activity; sid:2024605; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; content:".php"; offset:38; depth:4; http_uri; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/U"; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024606; rev:2; metadata:created_at 2017_08_23, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; content:"/test.mp3"; offset:25; depth:9; http_uri; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/U"; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024607; rev:2; metadata:created_at 2017_08_23, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:trojan-activity; sid:2024608; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:trojan-activity; sid:2024609; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:trojan-activity; sid:2024610; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:trojan-activity; sid:2024611; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Disdain EK Landing Aug 23 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0;within:75; flowbits:isset,ET.DisDain.EK; classtype:trojan-activity; sid:2024612; rev:2; metadata:created_at 2017_08_23, updated_at 2020_08_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; content:"POST"; http_method; content:"e="; depth:2; nocase; http_client_body; content:"&p="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024614; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://poloniex.com"; http_header; fast_pattern; classtype:trojan-activity; sid:2024617; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://exmo.com"; http_header; fast_pattern; classtype:trojan-activity; sid:2024618; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://paxful.com"; http_header; classtype:trojan-activity; sid:2024621; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking"; nocase; classtype:bad-unknown; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Pin and Password - NWOLB"; nocase; classtype:bad-unknown; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Security Details - NWOLB"; nocase; classtype:bad-unknown; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"csrfmiddlewaretoken="; nocase; http_uri; distance:0; content:"username="; nocase; http_uri; content:"&password="; nocase; http_uri; fast_pattern; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024638; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://localbitcoins.com"; http_header; classtype:trojan-activity; sid:2024640; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; classtype:trojan-activity; sid:2024650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Significant, signature_severity Major, updated_at 2019_05_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Dropbox - Verify Email"; fast_pattern; classtype:trojan-activity; sid:2024656; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2017_09_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit HFS Actor"; flow:established,from_server; content:"Server|3a 20|HFS"; http_header; file_data; content:"triggerBug"; nocase; fast_pattern; content:"exploit"; nocase; content:"intToStr"; nocase; content:"strToInt"; nocase; classtype:trojan-activity; sid:2024677; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2020_08_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:trojan-activity; sid:2024238; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2017_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt 2"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font was not found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"To install |22|HoeflerText|22| font for your PC"; distance:0; nocase; content:"Download the .js"; distance:0; nocase; content:".attr('href',"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:trojan-activity; sid:2024700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; classtype:trojan-activity; sid:2024691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M1 Sep 14 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"connect.sid"; http_cookie; file_data; content:"Manage your Apple ID"; nocase; fast_pattern:7,20; classtype:trojan-activity; sid:2024703; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M2 Sep 14 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"connect.sid"; http_cookie; file_data; content:"mainController as mainCtrl"; nocase; content:"mainCtrl.username"; nocase; distance:0; content:"mainCtrl.password"; nocase; distance:0; content:"mainCtrl.submitCreds"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024704; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sep 19 2017"; flow:to_server,established; content:"POST"; http_method; content:"pass="; depth:5; nocase; fast_pattern; http_client_body; content:"&formimage1.x="; nocase; http_client_body; distance:0; content:"&formimage1.y="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025028; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"MSIE 7.0"; http_user_agent; classtype:trojan-activity; sid:2024767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox/54.0"; http_user_agent; classtype:trojan-activity; sid:2024768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Raiffeisen Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Raiffeisen ELBA-internet"; fast_pattern:19,20; nocase; classtype:bad-unknown; sid:2024770; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Drive Phish Dec 4 2015 M1"; flow:to_server,established; content:"POST"; http_method; content:"hidCflag="; nocase; depth:9; http_client_body; fast_pattern; content:"&Email="; nocase; http_client_body; distance:0; content:"&Pass"; http_client_body; distance:0; nocase; content:"sign"; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022217; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_03, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M1"; flow:established,from_server; file_data; content:"Google Docs"; nocase; distance:0; fast_pattern:6,20; content:"input[type=email]"; nocase; distance:0; content:"input[type=number]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; content:"input[type=tel]"; nocase; distance:0; content:"signin-card #Email"; nocase; distance:0; content:"signin-card #Pass"; nocase; distance:0; classtype:trojan-activity; sid:2025681; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Nov 6 2015 M2"; flow:established,from_server; file_data; content:"Welcome to Google Docs"; nocase; fast_pattern:2,20; content:"Upload and Share Your Documents Securely"; nocase; distance:0; content:"Enter your email"; nocase; distance:0; content:"Enter a valid email"; nocase; distance:0; content:"Enter your password"; nocase; distance:0; content:"Sign in to view attachment"; nocase; distance:0; content:"Access your documents securely"; nocase; distance:0; classtype:trojan-activity; sid:2025680; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) Sep 28 2017"; flow:to_server,established; content:"POST"; http_method; content:"number"; depth:6; nocase; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&number"; nocase; distance:0; http_client_body; content:"&FormsButton"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025029; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish M1 Sep 29 2017"; flow:to_server,established; content:"POST"; http_method; content:"agg="; depth:4; nocase; http_client_body; content:"&acc="; nocase; distance:0; http_client_body; content:"&ss"; nocase; distance:0; http_client_body; content:"&proceguir="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024782; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish M2 Sep 29 2017"; flow:to_server,established; content:"POST"; http_method; content:"telefone="; depth:9; nocase; http_client_body; content:"&senha"; nocase; distance:0; http_client_body; content:"&proceguir="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024783; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco do Brasil Phish M3 Sep 29 2017"; flow:to_server,established; content:"POST"; http_method; content:"cvv="; depth:4; nocase; http_client_body; content:"&proceguir="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024784; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"id="; depth:3; nocase; http_client_body; content:"&password="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022497; rev:3; metadata:created_at 2016_02_08, former_category CURRENT_EVENTS, updated_at 2020_08_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Online Document Phishing Landing M1 Mar 25 2017"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Your session has timed out"; fast_pattern; nocase; content:"Click OK to sign in and continue"; nocase; distance:0; classtype:trojan-activity; sid:2025694; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4"; flow:established,to_server; urilen:>6; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P[^=&]+)=(?P=var1))?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox"; http_user_agent; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2018_10_09;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Sign in to Scotiabank"; nocase; classtype:bad-unknown; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; classtype:bad-unknown; sid:2024796; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking"; nocase; classtype:bad-unknown; sid:2024798; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&s6="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024800; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"ag_ct="; depth:6; nocase; http_client_body; content:"&ct_ct="; nocase; distance:0; http_client_body; content:"&us_user="; nocase; distance:0; http_client_body; content:"&us_pant="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&btn_now="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024802; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"Login - PayPal"; classtype:bad-unknown; sid:2019785; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2017_10_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phish Outlook Credentials Oct 01 2015"; flow:established,to_server; content:"POST"; http_method; content:"outlookuser="; depth:12; nocase; fast_pattern; http_client_body; content:"outlookpassword="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2021890; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; content:"POST"; http_method; content:"mailtype="; depth:9; nocase; http_client_body; fast_pattern; content:"&Email"; distance:0; nocase; http_client_body; content:"&Passwd"; distance:0; nocase; http_client_body; classtype:trojan-activity; sid:2022967; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; content:"POST"; http_method; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&forgotPassword="; nocase; distance:0; http_client_body; content:"&lat="; nocase; distance:0; http_client_body; content:"&userName="; nocase; distance:0; http_client_body; fast_pattern; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2022978; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; content:"POST"; http_method; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&bankId="; fast_pattern; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&q1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2022979; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"holdername="; nocase; depth:11; fast_pattern; http_client_body; content:"&numcard"; nocase; distance:0; http_client_body; content:"&ccv"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023043; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:trojan-activity; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_06;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Oct 04 2017"; flow:established,to_client; file_data; content:"|0d 0a 54 68 65 6d 65 20 4e 61 6d 65 3a 20|"; within:100; content:"|0d 0a 41 75 74 68 6f 72 3a 20 4d 4b 28 72 6a 29|"; within:100; fast_pattern; classtype:bad-unknown; sid:2024799; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Office 365 Phish Oct 10 2017 (set)"; flow:to_server,established; content:"POST"; http_method; content:"Password1="; depth:10; nocase; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025031; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DOC Download from commonly abused file share site"; flow:to_server,established; content:".doc"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2024836; rev:2; metadata:created_at 2017_10_11, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"rdLng="; nocase; http_client_body; fast_pattern; content:"&tc="; nocase; distance:0; http_client_body; content:"&sms"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024838; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017"; flow:to_server,established; content:"POST"; http_method; content:"rdLng="; nocase; http_client_body; fast_pattern; content:"&tc="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024839; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Settings Phishing Landing Jul 22 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:trojan-activity; sid:2024098; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; content:"POST"; http_method; content:"reason="; nocase; depth:7; fast_pattern; http_client_body; content:"Access_ID="; nocase; distance:0; http_client_body; content:"Current_Passcode="; nocase; distance:0; http_client_body; classtype:bad-unknown; sid:2015909; rev:4; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; classtype:bad-unknown; sid:2016327; rev:3; metadata:created_at 2013_01_31, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information"; classtype:trojan-activity; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iTunes Phish Mar 21 2014"; flow:established,to_server; content:"POST"; http_method; content:"fname="; http_client_body; content:"lname="; http_client_body; content:"hnum="; http_client_body; content:"snam="; http_client_body; classtype:trojan-activity; sid:2018305; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012 "; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; classtype:trojan-activity; sid:2015938; rev:3; metadata:created_at 2012_11_26, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Phish Nov 30 2012"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; classtype:bad-unknown; sid:2015972; rev:4; metadata:created_at 2012_11_30, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Account Phish Dec 04 2012"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; classtype:bad-unknown; sid:2015980; rev:4; metadata:created_at 2012_12_03, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Phish Dec 19 2012"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; classtype:bad-unknown; sid:2016063; rev:4; metadata:created_at 2012_12_19, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iTunes Phish Mar 21 2014"; flow:established,to_server; content:"theAccountName="; http_client_body; content:"theAccountPW="; http_client_body; classtype:trojan-activity; sid:2018304; rev:5; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful AOL/PayPal Phish Nov 24 2014"; flow:established,to_server; content:"POST"; http_method; content:"1="; http_client_body; content:"2="; http_client_body; content:"submit.x=Login"; http_client_body; classtype:bad-unknown; sid:2019781; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Credit Card Information Phish Oct 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"expm="; nocase; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; classtype:trojan-activity; sid:2025030; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"locale.x="; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; fast_pattern; content:"email="; nocase; distance:0; http_client_body; content:"password="; nocase; distance:0; http_client_body; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023760; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing M1 July 24 2015"; flow:to_client,established; file_data; content:"Document Shared"; nocase; fast_pattern:10,20; content:"name=|22|GENERATOR|22 22|>"; nocase; distance:0; content:"name=|22|HOSTING|22 22|>"; nocase; distance:0; content:"Login with your email"; nocase; distance:0; content:"Choose your email provider"; nocase; distance:0; classtype:trojan-activity; sid:2021535; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; classtype:trojan-activity; sid:2021536; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Revalidation Phish Landing Nov 13 2015"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Revalidation"; fast_pattern; nocase; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; content:"REVALIDATION"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:trojan-activity; sid:2022086; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"fName="; depth:6; nocase; http_client_body; content:"&lName="; nocase; http_client_body; distance:0; content:"&ZIPCode="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022498; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"ccNum="; depth:6; nocase; http_client_body; content:"&NameOnCard="; nocase; http_client_body; distance:0; content:"&CVV="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022499; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; distance:0; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022597; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:trojan-activity; sid:2022604; rev:4; metadata:created_at 2016_03_08, former_category CURRENT_EVENTS, updated_at 2017_10_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Suspended Account Phishing Landing Aug 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Log in to my account"; nocase; fast_pattern:7,20; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:trojan-activity; sid:2023044; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel Online Phishing Landing Aug 09 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:trojan-activity; sid:2023045; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"email"; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024554; rev:7; metadata:created_at 2016_01_14, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"&address"; nocase; fast_pattern; http_client_body; content:"&cc"; nocase; http_client_body; content:"&cvv"; nocase; http_client_body; distance:0; content:"&ssn"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024556; rev:4; metadata:created_at 2016_02_29, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; content:"GET"; http_method; content:"&email="; nocase; fast_pattern; http_uri; content:"&pass"; nocase; distance:0; http_uri; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024557; rev:4; metadata:created_at 2016_06_08, former_category CURRENT_EVENTS, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"email"; fast_pattern; nocase; http_client_body; content:"pwd"; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024558; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; content:"POST"; http_method; content:"usr="; fast_pattern; nocase; http_client_body; content:"pwd="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024561; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; content:"POST"; http_method; content:"jar"; nocase; http_client_body; depth:3; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&jar"; nocase; http_client_body; distance:0; content:"&login="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024562; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; content:"POST"; http_method; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024563; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; content:"POST"; http_method; content:"formtext"; nocase; http_client_body; content:"&formtext"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2024564; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs"; fast_pattern; nocase; classtype:bad-unknown; sid:2024842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal (FR) Phish Oct 16 2017"; flow:to_server,established; content:"POST"; http_method; content:"mail="; depth:5; nocase; http_client_body; content:"&mdp="; nocase; distance:0; http_client_body; content:"&toppl="; nocase; distance:0; http_client_body; fast_pattern; content:"Paypal"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024847; rev:2; metadata:created_at 2017_10_16, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DHL Phish Landing Sept 14 2015"; flow:established,to_client; file_data; content:"DHL |7c| Tracking"; nocase; fast_pattern:9,20; content:"TRADE FILE"; nocase; distance:0; content:"Sign In With Your Correct Email"; nocase; distance:0; classtype:trojan-activity; sid:2025690; rev:4; metadata:created_at 2015_09_15, former_category CURRENT_EVENTS, updated_at 2020_08_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful OX App Suite Phish 2017-10-12"; flow:to_server,established; content:"POST"; http_method; content:"location="; depth:9; nocase; http_client_body; content:"&loginpage="; nocase; distance:0; http_client_body; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&signin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2029663; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017"; flow:established,from_server; file_data; content:"U3RhcnQtUHJvY2Vzc"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017"; flow:established,from_server; file_data; content:"N0YXJ0LVByb2Nlc3"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017"; flow:established,from_server; file_data; content:"TdGFydC1Qcm9jZXNz"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017"; flow:established,from_server; file_data; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic AES Phish M1 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern:40,20; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:trojan-activity; sid:2024997; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_11_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2017_10_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26 2017"; flow:to_server,established; content:"POST"; http_method; content:"lg="; depth:3; nocase; fast_pattern; http_client_body; content:"&pw="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025032; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BACKSWING JS Framework POST Observed"; flow:established,from_server; content:"200"; http_stat_code; content:"Access-Control-Allow-Methods|3a 20|POST"; http_header; content:"Content-Type|3a 20|application/json"; http_header; file_data; content:"|7b 22|InjectionType|22 3a|"; depth:17; fast_pattern; content:"|22|InjectionString|22 3a 22|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024932; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic 000webhostapp.com Phish 2017-10-27"; flow:to_server,established; flowbits:isset,ET.genericphish; content:"POST"; http_method; content:".000webhostapp.com"; http_host; isdataat:!1,relative; fast_pattern; classtype:trojan-activity; sid:2029664; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Phish (set) Oct 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"o1="; depth:3; nocase; http_client_body; content:"&o2="; nocase; distance:0; http_client_body; fast_pattern; content:"&o3="; nocase; distance:0; http_client_body; content:"&o4="; nocase; distance:0; http_client_body; content:"&o5="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025033; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; classtype:trojan-activity; sid:2021307; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"/%"; http_header; content:"http%3A%2F%2F"; distance:2; within:13; nocase; http_header; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//U"; content:"Referer|3a 20|http"; http_header; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; classtype:trojan-activity; sid:2021309; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017"; flow:to_server, established; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"pasuma"; nocase; http_client_body; depth:100; fast_pattern; content:"name"; nocase; http_client_body; classtype:trojan-activity; sid:2024942; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_09_14;) alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Raiffeisen Phishing Domain Nov 03 2017"; dns_query; content:"banking.raiffeisen.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:trojan-activity; sid:2024943; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;) alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Sparkasse Phishing Domain Nov 03 2017"; dns_query; content:"netbanking.sparkasse.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:trojan-activity; sid:2024944; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SOCENG Fake Update/Installer ForceDL Template Nov 03 2017"; flow:established,from_server; file_data; content:"addDownloadHint"; nocase; pcre:"/^\s*\x28\s*[\x22\x27][^\x22\x27]*[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Rsi"; content:"doDownload(force)"; nocase; content:"userConversion(true)"; nocase; distance:0; content:"trigger_dl"; nocase; pcre:"/^\s*\(\s*force\s*\?\s*true\s*\x3a\s*false\s*,\s*\d+\s*,\s*\d+\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Ri"; classtype:trojan-activity; sid:2024945; rev:1; metadata:created_at 2017_11_03, updated_at 2017_11_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Raiffeisen Phish Nov 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"banking.raiffeisen.at."; http_host; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/WR"; classtype:trojan-activity; sid:2024947; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Sparkasse Phish Nov 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"netbanking.sparkasse.at."; http_host; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/WR"; classtype:trojan-activity; sid:2024948; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_13;) #alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET CURRENT_EVENTS Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023249; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector_07012016, updated_at 2016_09_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:""; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish Nov 09 2017 (set)"; flow:to_server,established; content:"POST"; http_method; content:"usr="; depth:4; nocase; http_client_body; content:"&psw="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025034; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; classtype:trojan-activity; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"username"; nocase; http_client_body; fast_pattern; content:"pass"; nocase; http_client_body; distance:0; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/W"; classtype:trojan-activity; sid:2025000; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.it"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2024835; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; content:"GET"; http_method; content:"paypal.it"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2024834; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023880; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023829; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023828; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023827; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023826; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023825; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023824; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023823; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023822; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023821; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_host; fast_pattern; isdataat:20,relative; classtype:trojan-activity; sid:2023820; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_host; fast_pattern; isdataat:20,relative; content:!"autodiscover"; http_header; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; content:"GET"; http_method; content:"linkedin.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023596; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Cartasi Phishing Domain Nov 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"cartasi"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023495; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_09, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"paypal.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022618; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"usaa.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022617; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"apple.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022616; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; content:"GET"; http_method; content:"chase.com"; http_host; fast_pattern; isdataat:20,relative; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022615; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Generic AES Phish M2 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:trojan-activity; sid:2024998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; content:"POST"; http_method; content:".tk"; http_host; isdataat:!1,relative; fast_pattern; classtype:trojan-activity; sid:2023137; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_09_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern; pcre:"/\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?$/W"; http_header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022896; rev:5; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_08_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:trojan-activity; sid:2022465; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:7; content:".exe"; http_uri; distance:0; isdataat:!1,relative; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; http_header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:3; metadata:created_at 2016_03_16, updated_at 2020_09_15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, updated_at 2015_04_03;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; tls_cert_subject; content:"CN=*.onion."; nocase; pcre:"/^(?:sh|lu|to)/Ri"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;) alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns_query; content:"crypto-loot.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2024828; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_15;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:trojan-activity; sid:2024199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful BankAustria Phish Nov 03 2017"; flow:to_server,established; content:"POST"; http_method; content:"online.bankaustria.at."; http_host; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}/WR"; classtype:trojan-activity; sid:2024949; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;) alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS BankAustria Phishing Domain Nov 03 2017"; dns_query; content:"online.bankaustria.at."; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}$/Ri"; classtype:trojan-activity; sid:2024946; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; http_uri; distance:1; within:8; fast_pattern; isdataat:!1,relative; content:!"download.bitdefender.com"; http_host; isdataat:!1,relative; content:!".appspot.com"; http_host; isdataat:!1,relative; content:!"kaspersky.com"; http_host; isdataat:!1,relative; content:!".sophosxl.net"; http_host; isdataat:!1,relative; content:!"koggames"; http_header; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; http_header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:10; metadata:created_at 2014_11_14, updated_at 2020_09_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2017-12-03"; flow:to_server,established; content:"POST"; http_method; content:"emailphone="; depth:11; nocase; fast_pattern; http_client_body; content:"&emailphone2="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025099; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; content:"GET"; http_method; content:"/wp-"; http_uri; depth:4; fast_pattern; http_header_names; content:!"Referer"; flowbits:set,ET.wpphish; flowbits:noalert; classtype:trojan-activity; sid:2025696; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2016_01_07, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, tag Wordpress, updated_at 2020_08_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2017-12-04"; flow:established,to_server; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&2="; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025115; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; classtype:bad-unknown; sid:2025140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Shutdown Phishing Landing 2017-12-11"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<title>"; nocase; depth:300; content:"Secure Email Server|20 3a 3a|"; fast_pattern; nocase; within:100; classtype:trojan-activity; sid:2025678; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; classtype:trojan-activity; sid:2025151; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_12_15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Qtloader encrypted check-in Oct 19 M1"; flow:established,to_server; content:"|2c 45 32 4d f1 38 55|"; depth:7; http_client_body; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking"; fast_pattern; nocase; classtype:bad-unknown; sid:2025158; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"|48 61 6c 6b 62 61 6e 6b 20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|"; nocase; classtype:bad-unknown; sid:2025159; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Ziraat Bank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"|20 48 6f c5 9f 67 65 6c 64 69 6e 69 7a 20 7c 20 5a 69 72 61 61 74 20 42 61 6e 6b 61 73 c4 b1|"; nocase; classtype:bad-unknown; sid:2025160; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Oct 16 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&locale.x="; nocase; distance:0; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024846; rev:3; metadata:created_at 2017_10_16, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Financial Phish Landing 2017-12-21"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"jQuery(function($)"; nocase; fast_pattern; content:"#dob"; nocase; distance:0; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#ssn"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#sortcode"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; classtype:trojan-activity; sid:2025663; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2017-12-26"; flow:established,to_client; file_data; content:"&Rho|3b|ay&Rho|3b|aI"; within:200; classtype:trojan-activity; sid:2025173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Yobit Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&psw1="; nocase; distance:0; http_client_body; content:"&psw2="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2025174; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful HitBTC Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; content:"POST"; http_method; content:"__csrf__="; depth:9; nocase; http_client_body; content:"&utc_offset_hours="; nocase; distance:0; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2025175; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Liqui Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; content:"POST"; http_method; content:"login_type%5Bemail%5D="; depth:22; nocase; http_client_body; content:"&login_type%5Bpassword%5D="; nocase; distance:0; http_client_body; content:"&login_type%5BtwoFactorKey%5D="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2025176; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi"; fast_pattern; nocase; classtype:bad-unknown; sid:2024583; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_16, deployment Internet, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Phishing Landing M3 Sep 14 2017"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/javascript"; http_header; file_data; content:"this.submitCreds"; nocase; fast_pattern; content:"username|3a 20|this.username"; nocase; distance:0; content:"password|3a 20|this.password"; nocase; distance:0; content:"apple.com"; nocase; distance:0; classtype:trojan-activity; sid:2024705; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) 2018-01-02"; flow:to_server,established; content:"POST"; http_method; content:"id="; depth:3; nocase; fast_pattern; http_client_body; content:"&pw="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025180; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"Lο|3b|g|20|in|20|tο|3b 20|yο|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|accο|3b|unt"; nocase; depth:300; classtype:trojan-activity; sid:2025181; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_03;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:trojan-activity; sid:2025186; rev:1; metadata:attack_target Web_Server, created_at 2018_01_04, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, performance_impact Low, signature_severity Major, updated_at 2018_01_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:trojan-activity; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dropbox Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Office 365 Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"background-color|3a 20|rgb(235, 60, 0)"; fast_pattern; nocase; within:200; content:"$Config={|22|scid|22 3a|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"Chase"; nocase; fast_pattern; content:"googlebot|22 20|content=|22|noindex"; nocase; distance:0; content:"function unhideBody()"; nocase; distance:0; content:"type=|22|password"; nocase; distance:0; classtype:trojan-activity; sid:2025210; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; within:300; classtype:trojan-activity; sid:2025211; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bank of America Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Confirm Your Account"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; distance:0; classtype:trojan-activity; sid:2025212; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>chase online - confirm"; fast_pattern; nocase; classtype:bad-unknown; sid:2025213; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"Log in to your PayPal account"; fast_pattern; nocase; content:"
$HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Questionnaire Phishing Landing 2018-01-19"; flow:established,to_client; file_data; content:"Questionnaire"; nocase; fast_pattern; content:"assets/css/theDocs.all.min.css"; nocase; distance:0; content:"

DOCUMENT MANAGEMENT SYSTEM"; distance:0; classtype:bad-unknown; sid:2025226; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Nov 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"x1="; depth:3; nocase; fast_pattern; http_client_body; content:"&x2="; nocase; http_client_body; distance:0; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:2025013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Verification/Upgrade Phishing Landing 2018-01-22"; flow:established,to_client; file_data; content:"Email Verification"; nocase; fast_pattern; content:"Sign in to upgrade your mailbox"; nocase; distance:0; content:"Mail Admin"; nocase; distance:0; classtype:bad-unknown; sid:2025229; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Server Mobile Security Settings Phishing Landing 2018-01-22"; flow:established,to_client; file_data; file_data; content:"|0d 0a 0d 0a|"; distance:0; classtype:trojan-activity; sid:2025912; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_08_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malvertising EK Redirect to EK M2"; flow:established,to_server; content:"GET"; http_method; content:".asp?id="; http_uri; isdataat:!5,relative; http_referer; content:".php?JBOSSESSION="; fast_pattern; http_accept_enc; content:"gzip, deflate"; depth:13; isdataat:!1,relative; classtype:trojan-activity; sid:2025913; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_09_16;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; classtype:trojan-activity; sid:2025914; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Underminer EK Landing"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7|0d 0a|"; http_header; file_data; content:"style=|22|width|3a|1px|3b|height|3a|1px|22|"; nocase; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; nocase; content:"px|3b 20|width|3a 20|1px|3b 20|height|3a 20|1px|3b 22|"; within:40; content:"