Git-Mirrors/backend-and-orchestration-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/backend-and-orchestration-toolkit.git synced 2025-06-07 14:32:57 -04:00
Code Issues Projects Releases Packages Wiki Activity

merge files from the blockchain infra repo (#59)

Browse source
This commit is contained in:
autistic-symposium-helper 2024-11-17 17:03:20 -08:00 committed by GitHub
parent 23f56ef195
commit 2a6449bb85
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
346 changed files with 29097 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

80
README.md
View file

@ -1,66 +1,60 @@
# Learning Kubernetes
## orchestration and backend engineering
* A Kubernetes cluster consists of **Nodes** (simialr to servers)
<br>
* Nodes run **Pods**, which are collections of Docker containers. Containers in a Pod share the same network.
### chapters
* The Kubernetes object responsible for launching and maintaining the desired number of pods is called a **Deployment**.
<br>
* Kubernetes provides objects called a **Service** so thart Pods to communicate with other Pods. They are tied to Deployments through Selectors and Labels, and they can be exposed to external clients either by exposing a **NodePort** as a static port on each Kubernetes node or by creating a **LoadBalancer** object/
#### scripts for services and pubs
* Kubernetes provides the **Secret** object for managing sensitive information such as passwords, API keys, and other credentials.
* **[docker](code/docker)**
* **[kubernetes](code/kubernetes):**
* **[spin up a node server](code/kubernetes/node-server-example)**
* **[kustomize for deployment](code/kubernetes/kustomize)**
* **[python cdk for deployment](code/kubernetes/python-cdk)**
* **[kafka (long pooling)](code/kafka)**
<br>
-------------
#### scripts for cloud infrastructure
## In this Repository
* **[aws](code/aws)**
* **[gcp](code/gcp)**
* [Spin up a node server example](https://github.com/bt3gl/Learning_Kubernetes/tree/master/node-server-example).
* [Use kustomize to organize and combine YAML templates of your services and deployments](https://github.com/bt3gl/Learning_Kubernetes/tree/master/kustomize-example).
<br>
#### resources for storage systems
--------------
## Tools
* **[databases](resources/databases/)**
### Minikube
<br>
[Minikube](https://github.com/kubernetes/minikube) implements a local Kubernetes cluster on macOS, Linux, and Windows. You can install it following [this instructions](https://minikube.sigs.k8s.io/docs/start/).
#### scripts for cloud management
### Kubectl
* **[chef](code/chef)**
Kubectl is a command line interface for running commands against Kubernetes clusters. You can install it [here](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
<br>
#### resources for learning
Checking out pods:
* **[protocol demos](code/protocol_demos/)**
* **[data engineering](resources/data_engineering/)**
* **[airflow and luigi](resources/data_engineering/airflow_and_luigi.md)**
* **[the arrow project](resources/data_engineering/arrow_project.md)**
* **[or tools](resources/data_engineering/or_tools.md)**
* **[what's a protocol](resources/protocols/)**
* **[what's communication patterns](resources/communication/)**
```
$ kubectl get pods --namespace=<ns-name>
```
<br>
Checking deployments:
---
```
$ kubectl get deployments --namespace=<ns-name>
```
### cool resources
Checking services:
<br>
```
$ kubectl get services --namespace=<ns-name>
```
* **[list of public apis](https://github.com/public-apis/public-apis?tab=readme-ov-file)**
* **[system design in cool pictures](https://github.com/ByteByteGoHq/system-design-101)**
* **[my e2e surfline-pipeline-aws-py](https://github.com/autistic-symposium/surfline-pipeline-aws-py)**
Get more information about a pod:
```
$ kubectl describe pod --namespace=<ns-name> <pod name>
```
--------
## Learning
* [Google's K8s 101](https://techdevguide.withgoogle.com/paths/cloud/sequence-2/kubernetes-101-pods-nodes-containers-and-clusters/#!).
* [K8s Bootcamp](https://kubernetesbootcamp.github.io/kubernetes-bootcamp/).
* [K8s the Hard Way](https://github.com/kelseyhightower/kubernetes-the-hard-way#labs).

6
code/aws/README.md Normal file
View file

@ -0,0 +1,6 @@
## resources on aws
<br>
* [eks](eks)
* [lambda](lambda-function)

480
code/aws/eks/README.md Normal file
View file

@ -0,0 +1,480 @@
# AWS EKS
## Tutorials & Articles
* [Provision a Kubernetes Cluster in Amazon EKS with Weaveworks eksctl and AWS CDK](https://blog.reactioncommerce.com/deploying-kubernetes-clusters-in-aws-eks-with-the-aws-cloud-development-kit/).
## Creating EKS cluster using the eksctl CLI
eksctl create cluster \
--name staging \
--version 1.14 \
--nodegroup-name staging-workers \
--node-type m5.xlarge \
--nodes 3 \
--nodes-min 1 \
--nodes-max 10 \
--node-ami auto
### Create RDS PostgreSQL instance
Create `hydra` database and `hydradbadmin` user/role in the database.
hydra=> CREATE DATABASE hydra;
CREATE DATABASE
hydra=> \q
hydra=> CREATE ROLE hydradbadmin;
CREATE ROLE
hydra=> ALTER ROLE hydradbadmin LOGIN;
ALTER ROLE
hydra=> ALTER USER hydradbadmin PASSWORD 'PASS';
ALTER ROLE
DB connection string: `postgres://hydradbadmin:PASS@staging.cjwa4nveh3ws.us-west-2.rds.amazonaws.com:5432/hydra`
### Create MongoDB database and user in Atlas
MONGO_OPLOG_URL: mongodb://domain:PASS@cluster0-shard-00-02-gk3cz.mongodb.net.:27017,[cluster0-shard-00-01-gk3cz.mongodb.net](http://cluster0-shard-00-01-gk3cz.mongodb.net/).:27017,[cluster0-shard-00-00-gk3cz.mongodb.net](http://cluster0-shard-00-00-gk3cz.mongodb.net/).:27017/local?authSource=admin&gssapiServiceName=mongodb&replicaSet=Cluster0-shard-0&ssl=true
MONGO_URL: mongodb://domain:PASS@cluster0-shard-00-02-gk3cz.mongodb.net.:27017,[cluster0-shard-00-01-gk3cz.mongodb.net](http://cluster0-shard-00-01-gk3cz.mongodb.net/).:27017,[cluster0-shard-00-00-gk3cz.mongodb.net](http://cluster0-shard-00-00-gk3cz.mongodb.net/).:27017/rc-staging?authSource=admin&gssapiServiceName=mongodb&replicaSet=Cluster0-shard-0&ssl=true
### Generate kubeconfig files for administrator and developer roles
Save the above file somewhere, then
export KUBECONFIG=/path/to/file
export AWS_PROFILE=profilename
This configuration uses the `aws-iam-authenticator` binary (needs to exist locally)
and maps an IAM role to an internal Kubernetes RBAC role.
This was created in the EKS cluster with:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: k8s-developer-role
namespace: staging
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: k8s-developer-rolebinding
namespace: staging
subjects:
- kind: User
name: k8s-developer-user
roleRef:
kind: Role
name: k8s-developer-role
apiGroup: rbac.authorization.k8s.io
### Install nginx ingress controller and create ALB in front of nginx ingress service
The `Service` type for the `ingress-nginx` service is `NodePort` and not `LoadBalancer`
because we don't want AWS to create a new Load Balancer every time we recreate the ingress.
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: kube-ingress
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
type: NodePort
selector:
app: ingress-nginx
ports:
- name: http
port: 80
nodePort: 30080
targetPort: http
- name: https
port: 443
nodePort: 30443
targetPort: https
Instead, we provision an ALB and send both HTTP and HTTPS traffic to a Target Group that targets port 30080 on
the EKS worker nodes (which is the `nodePort` in the manifest above for HTTP traffic).
**NOTE**: need to add rule in EKS worker SG to allow SG of ALB to access port 30080.
### Create Kubernetes Secret for DockerHub credentials (for pulling private images)
apiVersion: v1
type: kubernetes.io/dockerconfigjson
kind: Secret
metadata:
name: reaction-docker-hub
data:
.dockerconfigjson: BASE64_OF_DOCKERHUB_AUTH_STRING
DOCKERHUB_AUTH_STRING={"auths":{"https://index.docker.io/v1/":{"username":"rck8s","password":"PASS","auth":"OBTAINED_FROM_DOCKER_CONFIG.JSON"}}}
This Secret was created in several namespaces (`default`, `staging`, `monitoring`, `logging`, `flux-system`)
### Install and customize Flux for GitOps workflow
Flux is installed in its own `flux-system` namespace.
To install it, it we ran:
kustomize build overlays/staging | kubectl apply -f -
The default `Deployment` for Flux is using the `weaveworks/flux` Docker image, which as of its last
version contains an older binary for `kustomize`.
Here is the `Dockerfile` for that image:
FROM fluxcd/flux:1.15.0
ARG REACTION_ENVIRONMENT
ENV SOPS_VERSION 3.4.0
ENV REACTION_ENVIRONMENT=${REACTION_ENVIRONMENT}
RUN /sbin/apk add npm
RUN wget https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux \
-O /usr/local/bin/sops; chmod +x /usr/local/bin/sops
For now, the script `build_and_push_image_staging.sh` sets this variable to `staging`:
#!/bin/bash
COMMIT_TAG=$(git rev-parse --short HEAD)
docker build --build-arg REACTION_ENVIRONMENT=staging -t reaction-flux:staging .
docker tag reaction-flux:staging reactioncommerce/reaction-flux:staging-${COMMIT_TAG}
docker push reactioncommerce/reaction-flux:staging-${COMMIT_TAG}
Flux generates an ssh key upon startup. We need to obtain that key with `fluxctl` and add
it as a deploy key to the `reaction-gitops` GitHub repo:
fluxctl --k8s-fwd-ns=flux-system identity
The `manifest-generation=true` argument allows Flux to inspect and use a special configuration file called
`.flux.yaml` in the root of the associated Git repo. The contents of this file are:
version: 1
commandUpdated:
generators:
- command: ./generate_kustomize_output.sh
Flux will `cd` into the `git-path` (set to `.` in our case in the args above), then will run the `command`
specified in the `.flux.yaml` file. The output of the command needs to be valid YAML, which Flux will apply
to the Kubernetes cluster via `kubectl apply -f -`.
We can run whatever commands we need, following whatever conventions we come up with, inside the `generate_kustomize_output.sh` script. Currently we do something along these lines:
#!/bin/bash
if [ -z $ENVIRONMENT ]; then
echo Please set the ENVIRONMENT environment variable to a value such as staging before running this script.
exit 1
fi
# this is necessary when running npm/npx inside a Docker container
npm config set unsafe-perm true
cd kustomize
for SUBDIR in `ls`; do
if [ "$1" ] && [ "${SUBDIR}" != "$1" ]; then
continue
fi
OVERLAY_DIR=${SUBDIR}/overlays/${ENVIRONMENT}
if [ ! -d "${OVERLAY_DIR}" ]; then
continue
fi
if [ -d "${OVERLAY_DIR}/.sops" ]; then
# decrypt sops-encrypted values and merge them into stub manifests for Secret objects
npx --quiet --package @reactioncommerce/merge-sops-secrets@1.2.1 sops-to-secret ${OVERLAY_DIR}/secret-stub.yaml > ${OVERLAY_DIR}/secret.yaml
fi
# generate kustomize output
kustomize build ${OVERLAY_DIR}
echo "---"
rm -rf ${OVERLAY_DIR}/secret.yaml
done
Flux will do a `git pull` against the branch of the `reaction-gitops` repo specified in the
command-line args (`master` in our case) every 5 minutes, and it will run the `generate_kustomize_output.sh` script, then will run `kubectl apply -f -` against the output of that script, applying any manifests that have changed.
The Flux `git pull` can also be forced with `fluxctl sync`:
fluxctl sync --k8s-fwd-ns flux-system
To redeploy a Flux container for example when the underlying Docker image changes, do this in the
`reaction-gitops` root directory:
cd bootstrap/flux
kustomize build overlays/staging | kubectl apply -f -
### Management of Kubernetes secrets
We use sops to encrypt secret values for environment variables representing credentials, database connections, etc.
We create one file per secret in directories of the format `kustomize/SERVICE/overlays/ENVIRONMENT/.sops.`
We encrypt the files with a KMS key specified in `.sops.yaml` in the directory `kustomize/SERVICE/overlays/ENVIRONMENT`.
Example:
cd kustomize/hydra/overlays/staging
echo -n "postgres://hydradbadmin:PASS@staging.cjwa4nveh3ws.us-west-2.rds.amazonaws.com:5432/hydra" > .sops/DATABASE_URL.enc
sops -e -i .sops/DATABASE_URL.enc
We also create a `secret-stub.yaml` file in the directory `kustomize/SERVICE/overlays/ENVIRONMENT` similar to this:
$ cat overlays/staging/secret-stub.yaml
apiVersion: v1
kind: Secret
metadata:
name: hydra
type: Opaque
data:
DATABASE_URL: BASE64_OF_PLAIN_TEXT_SECRET
OIDC_SUBJECT_TYPE_PAIRWISE_SALT: BASE64_OF_PLAIN_TEXT_SECRET
SYSTEM_SECRET: BASE64_OF_PLAIN_TEXT_SECRET
The Flux container will call the `generate_kustomize_output.sh` script, which will decrypt the files via Pete's `@reactioncommerce/merge-sops-secrets@1.2.1 sops-to-secret` utility and will stitch their values inside `secret-stub.yaml`, saving the output in a `secret.yaml` file which will then be read by `kustomize`.
Here is the relevant section from the `generate_kustomize_output.sh` script:
npx --quiet \
--package @reactioncommerce/merge-sops-secrets@1.2.1 \
sops-to-secret ${OVERLAY_DIR}/secret-stub.yaml > ${OVERLAY_DIR}/secret.yaml
The Flux container needs to be able to use the KMS key for decryption, so we had to create an IAM policy allowing access to this KMS key, then attach the policy to the EKS worker node IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:GetKeyPolicy",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:us-west-2:773713188930:key/a8d73206-e37a-4ddf-987e-dbfa6c2cd2f8"
}
]
}
### Kubernetes manifest generation with Kustomize
We use Kustomize to generate Kubernetes manifests in YAML format.
There are several directories under the `kustomize` directory, one for each service to be deployed.
Example directory structure under `kustomize/reaction-storefront`:
|____overlays
| |____staging
| | |____patch-deployment-imagepullsecret.yaml
| | |____kustomization.yaml
| | |____hpa.yaml
| | |____secret-stub.yaml
| | |____.sops
| | | |____SESSION_SECRET.enc
| | | |____OAUTH2_CLIENT_SECRET.enc
| | |____configmap.yaml
| | |____.sops.yaml
|____base
| |____deployment.yaml
| |____ingress.yaml
| |____kustomization.yaml
| |____service.yaml
The manifests under the `base` directory define the various Kubernetes objects that will be created for `reaction-storefront` (similar to YAML manifests under the `templates` directory of a Helm chart, but with no templating). In this example we have a Deployment, a Service and an Ingress defined in their respective files.
The file `base/kustomization.yaml` specifies how these manifests files are collated and how other common information is appended:
$ cat base/kustomization.yaml
# Labels to add to all resources and selectors.
commonLabels:
app.kubernetes.io/component: frontend
app.kubernetes.io/instance: reaction-storefront
app.kubernetes.io/name: reaction-storefront
# Value of this field is prepended to the
# names of all resources
#namePrefix: reaction-storefront
configMapGenerator:
- name: reaction-storefront
# List of resource files that kustomize reads, modifies
# and emits as a YAML string
resources:
- deployment.yaml
- ingress.yaml
- service.yaml
The customization for a specific environment such as `staging` happens in files in the directory `overlays/staging`. Here is the `kustomization.yaml` file from that directory:
$ cat overlays/staging/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: staging-
namespace: staging
images:
- name: docker.io/reactioncommerce/reaction-next-starterkit
newTag: 4e1c281ec5de541ec6b22c52c38e6e2e6e072a1c
resources:
- secret.yaml
- ../../base
patchesJson6902:
- patch: |-
- op: replace
path: /spec/rules/0/host
value: storefront.staging.reactioncommerce.io
target:
group: extensions
kind: Ingress
name: reaction-storefront
version: v1beta1
patchesStrategicMerge:
- configmap.yaml
- patch-deployment-imagepullsecret.yaml
Some things to note:
- You can customize the Docker image and tag used for a container inside a pod
- You can specify a prefix to be added to all object names, so a deployment declared in the `base/deployment.yaml` file with the name `reaction-storefront` will get `staging-` in front and will become `staging-reaction-storefront`
- You can apply patches to the files under `base` and specify values specific to this environment
Patches can be declared either inline in the `kustomization.yaml` file (such as the Ingress patch above), or in separate YAML files (such as the files in the `patchesStrategicMerge` section).
Here is an example of a separate patch file:
$ cat overlays/staging/patch-deployment-imagepullsecret.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: reaction-storefront
spec:
template:
spec:
imagePullSecrets:
- name: reaction-docker-hub
You need to specify enough information in the patch file for `kustomize` to identify the object to be patched. If you think of the YAML manifest as a graph with nodes specified by a succession of keys, then the patch needs to specify which node needs to be modified or added, and what is the new value for that key. In the example above, we add a new key at `spec->template->spec->imagePullSecrets->0 (item index)->name` and set its value to `reaction-docker-hub`.
**Environment variables** for a specific environment are set in the `configmap.yaml` file in the `overlays/ENVIRONMENT` directory. Example for `reaction-storefront`:
$ cat overlays/staging/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: reaction-storefront
data:
CANONICAL_URL: https://storefront.staging.reactioncommerce.io
DEFAULT_CACHE_TTL: "3600"
ELASTICSEARCH_URL: http://elasticsearch-client:9200
EXTERNAL_GRAPHQL_URL: https://api.staging.reactioncommerce.io/graphql-beta
HYDRA_ADMIN_URL: http://staging-hydra:4445
INTERNAL_GRAPHQL_URL: http://staging-reaction-core/graphql-beta
OAUTH2_ADMIN_PORT: "4445"
OAUTH2_AUTH_URL: https://auth.staging.reactioncommerce.io/oauth2/auth
OAUTH2_CLIENT_ID: staging-storefront
OAUTH2_HOST: staging-hydra
OAUTH2_IDP_HOST_URL: https://api.staging.reactioncommerce.io/
OAUTH2_REDIRECT_URL: https://storefront.staging.reactioncommerce.io/callback
OAUTH2_TOKEN_URL: http://staging-hydra:4444/oauth2/token
PRINT_ERRORS: "false"
SEARCH_ENABLED: "false"
SESSION_MAX_AGE_MS: "2592000000"
Another example of a patch is adding `serviceMonitorNamespaceSelector` and `serviceMonitorSelector` sections to a Prometheus manifest file:
$ cat bootstrap/prometheus-operator/overlays/staging/patch-prometheus-application-selectors.yaml
apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
labels:
prometheus: application
name: application
namespace: monitoring
spec:
serviceMonitorNamespaceSelector:
matchExpressions:
- key: name
operator: In
values:
- staging
serviceMonitorSelector:
matchLabels:
monitoring: application
**In short, the Kustomize patching mechanism is powerful, and it represents the main method for customizing manifests for a given environment while keeping intact the default manifests under the `base` directory.**
### Automated PR creation into reaction-gitops from example-storefront
We added a job to the CircleCI workflow for `reactioncommerce/example-storefront` (`master` branch) to create a PR automatically against `reactioncommerce/reaction-gitops`.
The PR contains a single modification of the `reaction-storefront/overlays/staging/kustomize.yaml` file. It sets the Docker image tag to the CIRCLE_SHA1 of the current build by calling `kustomize edit set image [docker.io/${DOCKER_REPOSITORY}:${CIRCLE_SHA1}](http://docker.io/$%7BDOCKER_REPOSITORY%7D:$%7BCIRCLE_SHA1%7D)`.
Details here:
[https://github.com/reactioncommerce/example-storefront/blob/master/.circleci/config.yml#L101](https://github.com/reactioncommerce/example-storefront/blob/master/.circleci/config.yml#L101)
### Set up ElasticSearch and Fluentd for Kubernetes pod logging
Create IAM policy and add it to EKS worker node role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Create ElasticSearch domain `staging-logs` and configure it to use Amazon Cognito for user authentication for Kibana.
Download `fluentd.yml` from [https://eksworkshop.com/logging/deploy.files/fluentd.yml](https://eksworkshop.com/logging/deploy.files/fluentd.yml) , kustomize it, then install `fluentd` manifests for staging:
$ kustomize build bootstrap/fluentd/overlays/staging | kubectl create -f -

5
code/aws/lambda-function/README.md Normal file
View file

@ -0,0 +1,5 @@
# References for Lambda Functions
- [JavaScript Cloudwatch logging test](https://github.com/go-outside-labs/Curated_Cloud_and_Orchestration/blob/master/lambda_function_examples/monitoring_example).
- [Python functionby SQS and responding to a SNS topic](https://github.com/go-outside-labs/Curated_Cloud_and_Orchestration/blob/master/lambda_function_examples/sqs-sns_example).

4
code/aws/lambda-function/monitoring_example/.gitignore vendored Executable file
View file

@ -0,0 +1,4 @@
!.env.example
.env
node_modules
src/packaged-*.yaml

37
code/aws/lambda-function/monitoring_example/Makefile Executable file
View file

@ -0,0 +1,37 @@
BASEDIR := "$(PWD)/src"
CMD := docker run -it --rm \
--volume "/var/run/docker.sock:/var/run/docker.sock" \
--volume "$(PWD)/src:/var/opt" \
--volume ~/.aws:/root/.aws \
--env-file .env
AWS_REGION := $(shell aws configure get region)
.PHONY: help
help:
@$(CMD)
.PHONY: build
build:
@$(CMD) build
.PHONY: validate
validate:
@$(CMD) validate
.PHONY: local
local:
@$(CMD) local invoke "MonitoringTest" \
-t "/var/opt/template.yaml" \
-e "/var/opt/event.json" \
--profile "$(AWS_PROFILE)" \
--docker-volume-basedir "$(BASEDIR)"
.PHONY: logs
logs:
@$(CMD) logs -n MonitoringTest --stack-name ${STACK_NAME} -t --region ${AWS_REGION} --profile ${AWS_PROFILE}
.PHONY: package
package:
@$(CMD) package --template-file ./template.yaml --output-template-file ./packaged-template.yaml --s3-bucket ${S3_BUCKET} --region ${AWS_REGION} --profile ${AWS_PROFILE}

9
code/aws/lambda-function/monitoring_example/README.md Executable file
View file

@ -0,0 +1,9 @@
### Monitoring Lambda Test Function
Lambda function that looks at its argument and just succeeds or fails based on the input.
This is used to test our monitoring graphs and alerting rules.
Install [aws-cli](https://aws.amazon.com/cli/) and [sam](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-cli-command-reference-sam-logs.html).

4
code/aws/lambda-function/monitoring_example/env_example Executable file
View file

@ -0,0 +1,4 @@
export AWS_REGION=
export S3_BUCKET=
export STACK_NAME=
export SERVICE_NAME=

10
code/aws/lambda-function/monitoring_example/package.json Executable file
View file

@ -0,0 +1,10 @@
{
"name": "monitoring",
"version": "1.0.0",
"description": "Lambda function that looks at its argument and just succeeds or fails based on the input.",
"main": "index.js",
"scripts": {
"locally": "node src/index.js"
},
"author": "Mia Stein"
}

13
code/aws/lambda-function/monitoring_example/scripts/deploy-to-aws.sh Executable file
View file

@ -0,0 +1,13 @@
#!/usr/bin/env bash
set -o errexit # always exit on error
set -o errtrace # trap errors in functions as well
set -o pipefail # don't ignore exit codes when piping output
IFS=$'\n\t'
cd "$(dirname "${BASH_SOURCE[0]}")/.."
source "$1"
make --makefile=./scripts/deploy.mk all

30
code/aws/lambda-function/monitoring_example/scripts/deploy.mk Executable file
View file

@ -0,0 +1,30 @@
SAM_INPUT_TEMPLATE=./src/template.yaml
SAM_OUTPUT_TEMPLATE=./src/packaged-template.yaml
.PHONY: validate-env
validate-env:
@./scripts/validate-env.sh \
AWS_ACCESS_KEY_ID \
AWS_REGION \
AWS_SECRET_ACCESS_KEY \
STACK_NAME \
S3_BUCKET
.PHONY: package
package: validate-env
@aws cloudformation package \
--template-file ${SAM_INPUT_TEMPLATE} \
--output-template-file ${SAM_OUTPUT_TEMPLATE} \
--s3-bucket ${S3_BUCKET} \
--region ${AWS_REGION}
.PHONY: deploy
deploy: validate-env package
aws cloudformation deploy \
--template-file ${SAM_OUTPUT_TEMPLATE} \
--stack-name ${SAM_STACK_NAME} \
--capabilities CAPABILITY_IAM \
--region ${AWS_REGION}
.PHONY: all
all: deploy

27
code/aws/lambda-function/monitoring_example/scripts/invoke.sh Executable file
View file

@ -0,0 +1,27 @@
#!/usr/bin/env bash
set -o errexit # always exit on error
set -o errtrace # trap errors in functions as well
set -o pipefail # don't ignore exit codes when piping output
set -o posix # more strict failures in subshells
IFS=$'\n\t'
##### RUNNING THE SCRIPT #####
# export FUNCTION = <name of the lambda function in aws, can be found by aws lambda list-functions"
# source .env
# ./scripts/invoke.sh {true|false} [count]
cd "$(dirname "${BASH_SOURCE[0]}")/.."
./scripts/validate-env.sh AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
function=$(aws lambda list-functions | jq -r '.Functions[].FunctionName' | grep -E '^monitoring-lambda' | head -1)
payload="{\"forceError\": ${1:-false}}"
outpath="/tmp/monitoring-lambda.out"
count="${2:-1}"
for i in $(seq "${count}"); do
aws lambda invoke \
--function-name "${function}" \
--invocation-type Event \
--payload "${payload}" \
"${outpath}"
done

1
code/aws/lambda-function/monitoring_example/scripts/logs.sh Executable file
View file

@ -0,0 +1 @@
sam logs -n REPLACE-LOGS-NAME --stack-name REPLACE-STACK-NAME -t

1
code/aws/lambda-function/monitoring_example/scripts/package.sh Executable file
View file

@ -0,0 +1 @@
sam package --template-file template.yaml --output-template-file packaged.yaml --s3-bucket s3-test-deployment

19
code/aws/lambda-function/monitoring_example/scripts/validate-env.sh Executable file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env bash
set -o errexit # always exit on error
set -o errtrace # trap errors in functions as well
set -o pipefail # don't ignore exit codes when piping output
set -o posix # more strict failures in subshells
IFS=$'\n\t'
declare -a missing
for var in "$@"; do
if [[ -z "${!var}" ]]; then
echo "⚠️ ERROR: Missing required environment variable: ${var}" 1>&2
missing+=("${var}")
fi
done
if [[ -n "${missing[*]}" ]]; then
exit 1
fi

3
code/aws/lambda-function/monitoring_example/src/event.json Executable file
View file

@ -0,0 +1,3 @@
{
"forceError": true
}

22
code/aws/lambda-function/monitoring_example/src/index.js Executable file
View file

@ -0,0 +1,22 @@
/**
* @name monitoring
* @param {Object} context Lambda context object
* @return {Object} Object with a message and the original event
*/
exports.handler = async function(event) {
console.log("got event", event);
if (event.forceError) {
throw new Error ("Intentional Error.")
}
return {
message: "Work complete.",
event
};
}
if (require.main === module) {
const event = require("./event.json");
exports.handler(event);
}

11
code/aws/lambda-function/monitoring_example/src/template.yaml Executable file
View file

@ -0,0 +1,11 @@
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Monitoring test lambda
Resources:
MonitoringTest:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
Description: Monitoring test lambda
MemorySize: 256

104
code/aws/lambda-function/sqs-sns_example/.gitignore vendored Normal file
View file

@ -0,0 +1,104 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/

40
code/aws/lambda-function/sqs-sns_example/Makefile Normal file
View file

@ -0,0 +1,40 @@
install:
@python setup.py install && pip install -r requirements.txt
build:
@/bin/bash ./scripts/build_package.sh
clean:
@rm -rf /tmp/*.mp4 .coverage .tox build dist lib/*.pyc *.egg-info *pyc __pycache__/ ffmpeg* .pytest_cache /tmp/*mp4 /tmp/*jpg
doctoc:
@doctoc README.md
event:
@PYTHONPATH=$(pwd) ./scripts/create_test_event.py
invoke:
@PYTHONPATH=$(pwd) lambda invoke -v
lint:
@pep8 --exclude=build,venv,dist . && echo pep8: no linting errors
fixlint:
@autopep8 --in-place *py lib/*py lib/handlers/*py lib/routes/*py tests/*py scripts/*py
test:
@PYTHONPATH=$(pwd) py.test -v --color=yes --ignore=venv/
deploy:
@/bin/bash scripts/deploy_lambda.sh sandbox
sbox:
@/bin/cp .env.sample_sandbox .env
stag:
@/bin/cp .env.sample_staging .env
prod:
@/bin/cp .env.sample_prod .env
.PHONY: install clean doctoc lint invoke test build deploy event fixlint prod stag sbox

289
code/aws/lambda-function/sqs-sns_example/README.md Normal file
View file

@ -0,0 +1,289 @@
# AWS Lambda Function to Trim Videos with FFMPEG
An AWS Lambda Function to trim videos served from an API endpoint, within two given NTP UTC timestamps.
The stack also uses SQS, SNS, and S3 resources.
----
# Table of Contents
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [Introduction](#introduction)
- [Running Locally](#running-locally)
- [Create a virtual environment](#create-a-virtual-environment)
- [Configure the environment](#configure-the-environment)
- [Changes when moving to another environment](#changes-when-moving-to-another-environment)
- [Install the dependencies](#install-the-dependencies)
- [Create Sample SQS events](#create-sample-sqs-events)
- [Running the App locally](#running-the-app-locally)
- [AWS Deploynment](#aws-deploynment)
- [Running the App as a Lambda Function](#running-the-app-as-a-lambda-function)
- [Testing the flow in AWS](#testing-the-flow-in-aws)
- [Debugging Errors](#debugging-errors)
- [Contributing](#contributing)
- [Committing new code](#committing-new-code)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
----
# Introduction
As we see in this diagram, this application performs the following steps:
1. Receive a SQS event requesting a clip for a given time interval. An example of SQS event is the follow:
```json
{
"Records": [
{
"body": "{'clipId': '1111111111111', 'retryTimestamps': [], 'cameraId': '1111111111111', 'startTimestampInMs': 1537119363000, 'endTimestampInMs': 1537119423000}",
"receiptHandle": "MessageReceiptHandle",
"md5OfBody": "7b270e59b47ff90a553787216d55d91d",
"eventSourceARN": "arn:aws:sqs:us-west-1:123456789012:MyQueue",
"eventSource": "aws:sqs",
"awsRegion": "us-west-1",
"messageId": "19dd0b57-b21e-4ac1-bd88-01bbb068cb78",
"attributes": {
"ApproximateFirstReceiveTimestamp": "1523232000001",
"SenderId": "123456789012",
"ApproximateReceiveCount": "1",
"SentTimestamp": "1523232000000"
},
"messageAttributes": {
"SentTimestamp": "1523232000000"
}
}
]
}
```
2. Call the camera API with the endpoint `/cameras/cameraID` to retrieve a camera alias for the given camera id.
3. Call the camera API with the endpoint `/cameras/recording/` to retrieve a list of cam rewind source files within the given time range.
Which would generate this response:
```json
[{
"startDate":"2018-09-16T16:00:17.000Z",
"endDate":"2018-09-16T16:10:17.000Z",
"thumbLargeUrl":URL,
"recordingUrl":URL,
"thumbSmallUrl":URL,
"alias":"test"
}]
```
4. Retrieve the cam rewind source files from the origin S3 bucket (downloading them on disk).
5. Use ffmpeg to trim and merge clips into a single clip and to create several thumbnails.
6. If the clips are available, store them in the destination S3 bucket.
7. If the clips are not available, send a SQS message back to the queue, similar to the initial SQS, with a visibility timeout.
8. Call the camera API with endpoint `/cameras/clips` to update the information about the new clip and send a SNS message with the resulting metadata. An example of SNS message:
```json
{
"clipId": "1111111111111",
"cameraId": "1111111111111",
"startTimestampInMs": 1534305591000,
"endTimestampInMs": 1534305611000,
"status": "CLIP_AVAILABLE",
"bucket": "s3-test",
"clip": {
"url": URL,
"key": "/test.mp4"
},
"thumbnail": {
"url": "https://url_{size}.png",
"key": "/1111111111111/1111111111111{size}.png",
"sizes": [300, 640, 1500, 3000]
}
}
```
# Running Locally
To add new features to this application, follow these steps:
### Create a virtual environment
```bash
virtualenv venv
source venv/bin/activate
```
### Configure the environment
```bash
cp .env.sample_{env} .env
vim .env
```
Where these are the global variables in this file:
| Constant | Definition |
| :----------------------|:-------------------------------------------------------------------------------------- |
| CLIP_DOWNLOAD_DEST | Where the clips are going to be downloaded in disk |
| TIMESTAMP_FORMAT | The timestamp we will be parsing from the clip name strings |
| OLD_FILE_FORMAT | False if the clips to be downloaded have seconds encoded in their names (new format) |
| SQS_RETRY_LIMIT | The limit, in seconds, of retries for CLIP PENDING (default: 15 minutes) |
| OUT_OF_RANGE_LIMIT | The limit, in seconds, of how back in the past clips can be retrieved (default: 3 days)|
| CAM_SERVICES_URL | The url where the camera services is available |
| CLIP_URL | The url where the clips are posted to, accordingly to the environment |
| RECORDINGS_URL | The url where the source recordings are retrieved. |
| THUMBNAIL_SIZES | List of values for which clip thumbnails need to be created |
| VIDEO_MAX_LEN | Maximum length allowed for a clip |
| S3_BUCKET_ORIGIN | AWS S3 bucket where the rewinds are available |
| S3_BUCKET_ORIGIN_DIR | AWS S3 'folder' where the rewinds are available |
| S3_BUCKET_DESTINATION | AWS S3 bucket where the clips will be upload to. |
| AWS_SNS_TOPIC | AWS SNS topic arn |
| AWS_SQS_QUEUE | AWS SQS queue arn |
| AWS_SQS_QUEUE_URL | AWS SQS queue url |
| SQS_TIMEOUT | AWS SQS invisibility timeout in seconds |
#### Changes when moving to another environment
Whenever you move among the environments (prod, sandbox, or staging), you need to change the following variables:
| Constant | Possible value |
| :---------------------- |:------------------------------------------------- |
| CLIP_URL | https://camclips.{ENV}.test.com |
| S3_BUCKET_DESTINATION | cameras-service-clips-cdn-{ENV} |
| AWS_SNS_TOPIC | arn:aws:sns:test_{ENV} |
| AWS_SQS_QUEUE | arn:aws:sqs:test-sqs-{ENV} |
| AWS_SQS_QUEUE_URL | https://sqs.test-sqs-{ENV} |
### Install the dependencies
```bash
make install
```
### Create Sample SQS events
To create an `event.json` file to be tested in this application, run:
```bash
make event
```
Note that this command runs `./scripts/create_test_event.py` considering that the camera `test` is up. In case it is down, you should add a valid camera to the global variables section in that script.
You can create testing `event.json` to test alternate flows such as:
* **Clip pending** (i.e. when the requested clip is within 15 minutes to the SQS message timestamp but it was not created yet):
```bash
python scripts/create_test_event.py -p
```
* **Clip not available** (i.e. when the requested clip is later than 15 minutes but within 3 days to the SQS message timestamp):
```bash
python scripts/create_test_event.py -n
```
* **Clip out of range** (i.e. when the requested clip is later than 3 days to the SQS message timestamp):
```bash
python scripts/create_test_event.py -o
```
### Running the App locally
```bash
make invoke
```
-----
# AWS Deploynment
### Running the App as a Lambda Function
This creates a `.zip` package and deploys it to the lambda function:
```bash
make deploy
```
Check whether the package has the expected content:
```bash
unzip -l dist/cameras-service-generate-clip.zip
```
Note that this adds FFMPEG's dependencies manually and the Python dependencies are built within a Dockerfile.
### Testing the flow in AWS
You can test this application flow in sandbox and/or staging environment following theses steps:
1. In the [SQS dashboard](https://console.aws.amazon.com/sqs/home?region=us-west-1), select SQS queue and click `Queue action -> Send a Message`.
2. Type the value for `body`, similarly as the a message created in `event.json`. For instance:
```
{'clipId': '111111111111','retryTimestamps': [],'cameraId': '111111111111','startTimestampInMs': 1538412898000,'endTimestampInMs': 1538413498000}
```
1. This should trigger the lambda function and you should see the clips and thumbnails in the environment's S3 bucket in around 20-40 seconds.
### Debugging Errors
Errors will be logged in [CloudWatch](https://us-west-1.console.aws.amazon.com/cloudwatch/home?region=us-west-1#logs:). To make sense of logs in the CLI, you should install [saw](https://github.com/TylerBrock/saw).
For instance, to check error logs for staging in the last hour:
```bash
saw get /aws/lambda/clip-function -1h --filter error
```
----
# Contributing
### Committing new code
Run unit tests with:
```bash
make test
```
When deploying scripts (or to report back to Github on PRs), we ensure that code follows style guidelines with:
```bash
make lint
```
To fix lint errors, use:
```bash
make fixlint
```
Update the documentation (README.md) with:
```bash
make doctoc
```

4
code/aws/lambda-function/sqs-sns_example/config.yaml Normal file
View file

@ -0,0 +1,4 @@
region: us-west-1
function_name: ffmpeg-trimmer
handler: service.handler
description: Lambda function for creating camera clips by two NTP UTC timestamps.

66
code/aws/lambda-function/sqs-sns_example/create_clip_id.py Executable file
View file

@ -0,0 +1,66 @@
#!/usr/bin/env python2
#
# Create a clipId to be used in event.json
import requests
import subprocess
import json
import time
def put_request(url, data):
"""
Send the PUT request to create the id, returning
the clipId string.
"""
r = requests.post(url, json=data)
print('--------------------------------------------------------')
print('Request to {}'.format(url))
print('Data sent: {}'.format(data))
print('Status code: {}'.format(r.status_code))
if r.status_code == 200:
print(r.json())
return r.json()['clipId']
else:
return False
def create_timestamps():
"""
Create a timestamp to send in the PUT request.
"""
now = int(time.time()*1000)
sent_ts = str(now)
begin_ts = str(now - 600000)
end_ts = str(now - 600000 + 180000)
return sent_ts, begin_ts, end_ts
def create_data(cam_id, url, begin_ts, end_ts):
"""
Create the data that need to be sent to the
PUT request.
"""
data = {
"cameraId": cam_id,
"startTimestampInMs": begin_ts,
"endTimestampInMs": end_ts
}
return data
def main(url, cam_id):
sent_ts, begin_ts, end_ts = create_timestamps()
data = create_data(cam_id, url, begin_ts, end_ts)
clip_id = put_request(url, data)
print('clipId to be added to event.json: {}'.format(clip_id))
print('send ts, start, end: {0} {1} {2}'.format(
sent_ts, begin_ts, end_ts))

1
code/aws/lambda-function/sqs-sns_example/error.sh Executable file
View file

@ -0,0 +1 @@
saw get /aws/lambda/ffmpeg-clip --start -24h --filter error

20
code/aws/lambda-function/sqs-sns_example/event.json Normal file
View file

@ -0,0 +1,20 @@
{
"Records": [
{
"attributes": {
"ApproximateFirstReceiveTimestamp": "XXXXXXXXXXXXXXXXXXX",
"ApproximateReceiveCount": "1",
"SenderId": "XXXXXXXXXXXXXXXXXXX",
"SentTimestamp": "1543318636000"
},
"awsRegion": "us-west-1",
"body": "{'clipId': '5bc67ace8e9c352780437d2c','retryTimestamps': [],'cameraId': '582356e81ee905c72145623e','startTimestampInMs': '1543318156000','endTimestampInMs': '1543318636000'}",
"eventSource": "aws:sqs",
"eventSourceARN": "XXXXXXXXXXXXXXXXXXX",
"md5OfBody": "XXXXXXXXXXXXXXXXXXX",
"messageAttributes": {},
"messageId": "XXXXXXXXXXXXXXXXXXX",
"receiptHandle": "XXXXXXXXXXXXXXXXXXX"
}
]
}

31
code/aws/lambda-function/sqs-sns_example/requirements.txt Normal file
View file

@ -0,0 +1,31 @@
boto3==1.4.4
botocore==1.5.62
certifi==2023.7.22
chardet==3.0.4
click==6.6
docutils==0.12
futures==3.2.0
idna==2.7
jmespath==0.9.0
pyaml==15.8.2
python-dateutil==2.5.3
python-dotenv==0.9.1
python-lambda==3.2.2
PyYAML==5.4
requests==2.31.0
s3transfer==0.1.13
six==1.10.0
urllib3==1.26.5
autopep8==1.4
appdirs==1.4.3
packaging==16.8
pep8==1.7.0
py==1.11.0
pyaml==15.8.2
pyparsing==2.2.0
pytest==3.0.7
virtualenv==15.0.3
jmespath==0.9.0
mock==2.0.0
requests-mock==1.5.2
coverage==4.5.1

4
code/aws/lambda-function/sqs-sns_example/scripts/.dockerignore Normal file
View file

@ -0,0 +1,4 @@
packages
lib
app
Dockerfile.build

9
code/aws/lambda-function/sqs-sns_example/scripts/Dockerfile.build Normal file
View file

@ -0,0 +1,9 @@
FROM amazonlinux:1
WORKDIR /opt/app
ADD requirements.txt .
RUN \
yum install -y python27-pip && \
pip install --target=/opt/app -r requirements.txt

46
code/aws/lambda-function/sqs-sns_example/scripts/build_package.sh Executable file
View file

@ -0,0 +1,46 @@
#!/usr/bin/env bash
# This script adds additional dependences that are need for the lambda function package.
set -x
PACKAGE_NAME=cameras-clip.zip
# If S3_BUCKET env var isn't set, default it
if [ -z "${S3_BUCKET}" ]; then
S3_BUCKET=s3-test
fi
# Set dist env and create initial zip file
ORIGIN=$pwd
rm -rf dist && mkdir dist
lambda build --local-package . && mv dist/*.zip dist/$PACKAGE_NAME
cd dist/
## Fetch & add binary for FFMPEG
aws s3 cp "s3://${S3_BUCKET}/ffmpeg/ffmpeg-release-64bit-static.tar.xz" . && tar xf ffmpeg-release-64bit-static.tar.xz
zip -j -r9 $PACKAGE_NAME ffmpeg-*-64bit-static/ffmpeg
zip -j -r9 $PACKAGE_NAME ffmpeg-*-64bit-static/ffprobe
# Add this App's source code
cp -r ../lib .
zip -r9 $PACKAGE_NAME lib
# Add dependencies from pip
mkdir packages
cp ../scripts/Dockerfile.build Dockerfile
cp ../scripts/.dockerignore .dockerignore
cp ../requirements.txt .
docker build --tag pillow-build .
CTNHASH="$(docker create pillow-build)"
docker cp "${CTNHASH}":/opt/app/ .
cp -rf app/* packages/
# Package everything
cd packages
zip -ur9 ../$PACKAGE_NAME *
cd ..
# Clean up
#rm -rf ffmpeg-release-64bit-static.tar.xz ffmpeg-*-64bit-static/ packages/ lib/
docker rm ${CTNHASH}
cd $ORIGIN

177
code/aws/lambda-function/sqs-sns_example/scripts/create_test_event.py Executable file
View file

@ -0,0 +1,177 @@
#!/usr/bin/env python2
#
# For integration tests, different SQS events are needed.
# This script generates events for alternate flows.
# Global variables are defined in main().
import time
import json
import argparse
import datetime
import calendar
import datetime
def time_to_epoch(timestamp, timestamp_format):
"""
Given a timestamp string in seconds, return
the epoch timestamp string, in milliseconds.
"""
date = time.strptime(str(timestamp), timestamp_format)
return str(calendar.timegm(date)) + '000'
def generate_delta_time(delta, timestamp_format, now, days):
"""
Given a clip duration delta, and how many days back
from today, return a begin and end timestamp for the event.
"""
end = now - datetime.timedelta(days=days, minutes=0)
begin = now - datetime.timedelta(days=days, minutes=delta)
return begin.strftime(timestamp_format), end.strftime(timestamp_format)
def get_current_local_time(timestamp):
"""
Return the current time in a datetime object, a
human-readable string, and an epoch time integer.
"""
now = datetime.datetime.now()
human_now = now.strftime(timestamp)
epoch_now = time_to_epoch(human_now, timestamp)
return now, human_now, epoch_now
def create_event(begin, end, event_file, cam_id, epoch_now):
"""
Create an event.json SQS message file for
tests with the new timestamps and save it to the
destination in event_file.
"""
data = {'Records': [
{
"md5OfBody": "XXXXXXXXXXXXXXXXXXX",
"receiptHandle": "XXXXXXXXXXXXXXXXXXX",
"body": ("{'clipId': '1111111111111111',"
"'retryTimestamps': [],"
"'cameraId': '" + str(cam_id) + "',"
"'startTimestampInMs': '" + str(begin) + "',"
"'endTimestampInMs': '" + str(end) + "'}"),
"eventSourceARN": "XXXXXXXXXXXXXXXXXXX",
"eventSource": "aws:sqs",
"awsRegion": "us-west-1",
"messageId": "XXXXXXXXXXXXXXXXXXX",
"attributes": {
"ApproximateFirstReceiveTimestamp": "XXXXXXXXXXXXXXXXXXX",
"SenderId": "XXXXXXXXXXXXXXXXXXX",
"ApproximateReceiveCount": "1",
"SentTimestamp": epoch_now
},
"messageAttributes": {}
}
]
}
with open(event_file, 'w') as f:
json.dump(data, f, separators=(',', ': '), sort_keys=True, indent=2)
return data['Records'][0]['body']
def main():
# Global variables.
EVENT_FILE = 'event.json'
TIMESTAMP_FORMAT = '%d-%m-%Y %H:%M:%S'
DAYS_BEFORE_PENDING = 0
DAYS_BEFORE_AVAILABLE = 0
DAYS_BEFORE_NOT_AVAILABLE = 2
DAYS_BEFORE_OUT_OF_RANGE = 8
# Camera IDs used for tests, they should be checked whether
# they are currently down or not. For instance:
CAM_DOWN = '1111111111111111'
CAM_UP = '1111111111111111'
# This should not be more than 5 minutes (or the rewind clip generator
# app won't accent the event).
SESSION_DURATION_OK = 3
SESSION_DURATION_CLIP_TO_LONG = 8
# Get the time of event to be generated.
parser = argparse.ArgumentParser(
description='Clip duration you are looking for (in mins):')
parser.add_argument('-a', '--clip_available',
action='store_true', help='Event for <15 min')
parser.add_argument('-p', '--clip_pending',
action='store_true', help='Event cam down <15 min')
parser.add_argument('-o', '--clip_out_of_range',
action='store_true', help='Event for >3 days')
parser.add_argument('-n', '--clip_not_available',
action='store_true', help='Event cam down >3 days')
parser.add_argument('-t', '--clip_too_long',
action='store_true', help='Clips > 5 min')
args = parser.parse_args()
# Define what type of event we want.
if args.clip_pending:
days_before = DAYS_BEFORE_PENDING
cam_id = CAM_DOWN
session_duration = SESSION_DURATION_OK
elif args.clip_out_of_range:
days_before = DAYS_BEFORE_OUT_OF_RANGE
cam_id = CAM_UP
session_duration = SESSION_DURATION_OK
elif args.clip_not_available:
days_before = DAYS_BEFORE_NOT_AVAILABLE
cam_id = CAM_DOWN
session_duration = SESSION_DURATION_OK
elif args.clip_too_long:
days_before = DAYS_BEFORE_AVAILABLE
cam_id = CAM_UP
session_duration = SESSION_DURATION_CLIP_TO_LONG
else:
# Defaults to CLIP_AVAILABLE event.
days_before = DAYS_BEFORE_AVAILABLE
cam_id = CAM_UP
session_duration = SESSION_DURATION_OK
# Get current time in human string and epoch int.
now, human_now, epoch_now = get_current_local_time(TIMESTAMP_FORMAT)
# Generates a random begin and end time within the last days.
begin, end = generate_delta_time(
session_duration, TIMESTAMP_FORMAT, now, days_before)
# Convert these times to epoch timestamp and human time.
end_epoch = time_to_epoch(end, TIMESTAMP_FORMAT)
begin_epoch = time_to_epoch(begin, TIMESTAMP_FORMAT)
if begin_epoch and end_epoch:
# Creates the JSON file for the event.
body = create_event(begin_epoch, end_epoch,
EVENT_FILE, cam_id, epoch_now)
print('-----------------------------------------------------')
print('Event test saved at {}'.format(EVENT_FILE))
print('Camera id is {}'.format(cam_id))
print('Timestamp for {0} days ago, delta time is {1} mins').format(
days_before, session_duration)
print('Begin: {0} -> End: {1}'.format(begin_epoch, end_epoch))
print('Begin: {0} -> End: {1}'.format(begin, end))
print('Time: {}'.format(human_now))
print('Body: ')
print(body)
print('-----------------------------------------------------')
else:
print('Could not create timestamps for {}'.format(duration))
if __name__ == '__main__':
main()

58
code/aws/lambda-function/sqs-sns_example/scripts/deploy_lambda.sh Executable file
View file

@ -0,0 +1,58 @@
#!/bin/bash -ex
# Script that deploy this app to the AWS lambda function, similarly to Jenkins.
USAGE=$(cat <<-END
Usage:
deploy_lambda.sh <environment>
Examples:
deploy_lambda.sh staging
END
)
if [[ "$1" = "-h" ]]; then
echo "${USAGE}"
exit
fi
if [[ -n "$1" ]]; then
SERVER_GROUP=$1
else
echo '[ERROR] You must specify the env: production, sandbox, staging'
echo
echo "${USAGE}"
exit 1
fi
BUILD_ENVIRONMENT=$1
APP_NAME=cameras-service-generate-clip
export AWS_DEFAULT_REGION="us-west-1"
export AWS_REGION="us-west-1"
if [[ "${BUILD_ENVIRONMENT}" == "sandbox" ]]; then
S3_BUCKET=sl-artifacts-dev
else
S3_BUCKET="sl-artifacts-${BUILD_ENVIRONMENT}"
fi
S3_PREFIX="lambda-functions/${APP_NAME}"
S3_BUNDLE_KEY="sl-${APP_NAME}.zip"
S3_TAGGED_BUNDLE_KEY="sl-${APP_NAME}-${BUILD_TAG}.zip"
make clean
make install
make lint
make build
aws \
s3 cp "dist/${S3_BUNDLE_KEY}" "s3://${S3_BUCKET}/${S3_PREFIX}/${S3_BUNDLE_KEY}"
aws \
s3 cp "s3://${S3_BUCKET}/${S3_PREFIX}/${S3_BUNDLE_KEY}" "s3://${S3_BUCKET}/${S3_PREFIX}/${S3_TAGGED_BUNDLE_KEY}"
aws \
lambda update-function-code \
--function-name "sl-${APP_NAME}-${BUILD_ENVIRONMENT}" \
--s3-bucket "${S3_BUCKET}" \
--s3-key "${S3_PREFIX}/${S3_TAGGED_BUNDLE_KEY}"
echo "build description:${APP_NAME}|${BUILD_ENVIRONMENT}|${BUILD_TAG}|"

3
code/aws/lambda-function/sqs-sns_example/scripts/get_recording_list.sh Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/env bash
curl -i URL?startDate=$(date -v '-1H' +%s)000&endDate=$(date +%s)000

17
code/aws/lambda-function/sqs-sns_example/service.py Normal file
View file

@ -0,0 +1,17 @@
# -*- coding: utf-8 -*-
"""
Service handler module for AWS Lambda function. 'HANDLERS' constant dict is
used to map route requests to correct handler.
"""
import logging
from lib.config import LOG_LEVEL
from lib.routes import root
if LOG_LEVEL in ('CRITICAL', 'ERROR', 'WARNING', 'INFO', 'DEBUG', 'NOTSET'):
level = logging.getLevelName(LOG_LEVEL)
else:
level = logging.INFO
logging.basicConfig(level=level)
handler = root.handler

7
code/aws/lambda-function/sqs-sns_example/setup.py Normal file
View file

@ -0,0 +1,7 @@
from distutils.core import setup
setup(
name='rewind_clip_generator',
version='1.0',
packages=['lib', 'lib.routes', 'lib.handlers'],
)

1
code/aws/lambda-function/sqs-sns_example/tests/__init__.py Normal file
View file

@ -0,0 +1 @@
# -*- coding: utf-8 -*-

19
code/aws/lambda-function/sqs-sns_example/tests/fixtures/SNS_contract.json vendored Normal file
View file

@ -0,0 +1,19 @@
{
"clipId": "11111111111",
"cameraId": "11111111111",
"startTimestampInMs": 1534305591000,
"endTimestampInMs": 1534305611000,
"status": "CLIP_AVAILABLE",
"bucket": "sl-cam-clip-archive-prod",
"clip": {
"url": "https://test.mp4",
"key": "/583499c4e411dc743a5d5296/11111111111.mp4"
},
"thumbnail": {
"url": "https://test_{size}.png",
"key": "/11111111111/1111111111_{size}.png",
"sizes": [300, 640, 1500, 3000]
}
}

24
code/aws/lambda-function/sqs-sns_example/tests/fixtures/SQS_contract.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"Records": [
{
"body": "{'clipId': '507f191e810c19729de860ea', 'retryTimestamps': [], 'cameraId': '583499c4e411dc743a5d5296', 'startTimestampInMs': 1537119363000, 'endTimestampInMs': 1537119423000}",
"receiptHandle": "MessageReceiptHandle",
"md5OfBody": "7b270e59b47ff90a553787216d55d91d",
"eventSourceARN": "arn:aws:sqs:us-west-1:123456789012:MyQueue",
"eventSource": "aws:sqs",
"awsRegion": "us-west-1",
"messageId": "19dd0b57-b21e-4ac1-bd88-01bbb068cb78",
"attributes": {
"ApproximateFirstReceiveTimestamp": "1523232000001",
"SenderId": "123456789012",
"ApproximateReceiveCount": "1",
"SentTimestamp": "1523232000000"
},
"messageAttributes": {
"SentTimestamp": "1523232000000"
}
}
]
}

10
code/aws/lambda-function/sqs-sns_example/tests/fixtures/recording_contract.json vendored Normal file
View file

@ -0,0 +1,10 @@
[
{
"startDate":"2018-08-25T19:20:16.000Z",
"endDate":"2018-08-25T19:30:16.000Z",
"thumbLargeUrl":"https://test_full.jpg",
"recordingUrl":"https://test.mp4",
"thumbSmallUrl":"https://test_small.jpg",
"alias":"test"
}
]

0
code/aws/lambda-function/sqs-sns_example/tests/routes/.gitkeep Normal file
View file

32
code/aws/lambda-function/sqs-sns_example/tests/routes/test_root.py Normal file
View file

@ -0,0 +1,32 @@
# -*- coding: utf-8 -*-
""" Test Root service handler module for AWS Lambda function. """
import os
import json
import pytest
from lib.routes import root
fixtures_path = os.path.join(os.path.dirname(__file__), '..', 'fixtures')
@pytest.fixture
def sns_event_record():
sns_event_record_path = os.path.join(fixtures_path, 'SNS_contract.json')
with open(sns_event_record_path, 'r') as sns_event_record_json:
return json.load(sns_event_record_json)
@pytest.fixture
def context():
return {}
class TestHandler():
def test_type_error_for_bad_params(self, context):
try:
root.handler('', context)
except TypeError as e:
pass
else:
self.fail('ExpectedException not raised')

32
code/aws/lambda-function/sqs-sns_example/tests/test_aws_wrapper.py Normal file
View file

@ -0,0 +1,32 @@
# -*- coding: utf-8 -*-
""" AWS Wrapper Test Module """
import unittest
import mock
import lib.aws_wrapper
class TestAwsWrapper(unittest.TestCase):
def setUp(self):
self.filename = 'filename_test'
self.destination = 'destination_test'
self.clip_metadata = {'test': 'test'}
self.aw = lib.aws_wrapper.AwsWrapper()
@mock.patch('lib.aws_wrapper.boto3')
def test_download_clip_boto(self, boto3):
self.aw.download_video(self.filename, self.destination)
boto3.resource.assert_called_with('s3')
@mock.patch('lib.aws_wrapper.boto3')
def test_upload_clip_boto(self, boto3):
self.aw.upload_asset(self.filename, self.destination)
boto3.client.assert_called_with('s3')
@mock.patch('lib.aws_wrapper.boto3')
def test_send_sns_msg_boto(self, boto3):
aw = lib.aws_wrapper.AwsWrapper()
aw.send_sns_msg(self.clip_metadata)
boto3.client.assert_called_with('sns')

52
code/aws/lambda-function/sqs-sns_example/tests/test_cam_wrapper.py Normal file
View file

@ -0,0 +1,52 @@
# -*- coding: utf-8 -*-
""" Cam Wrapper Test Module """
import mock
import unittest
import pytest
import lib.cam_wrapper
import lib.utils
class TestCamWrapper(unittest.TestCase):
def setUp(self):
self.session_start_ms = '1535223360000'
self.session_end_ms = '1535224400000'
self.cameraId = '1111111111111111'
self.clipId = '1111111111111111'
self.metadata_test_clip_key = '/{0}/{1}.mp4'.format(
self.cameraId, self.clipId)
self.metadata_test_tb_key = '/{0}/{1}'.format(
self.cameraId, self.clipId) + '_{size}.jpg'
self.cw = lib.cam_wrapper.CamWrapper(
self.session_start_ms, self.session_end_ms,
self.cameraId, self.clipId)
@mock.patch('lib.utils.get_request')
def test_get_alias(self, mocked_method):
self.cw .get_alias()
self.assertTrue(mocked_method.called)
def test_metadata(self):
self.assertEqual(
self.cw .metadata['clip']['key'], self.metadata_test_clip_key)
self.assertEqual(
self.cw .metadata['thumbnail']['key'], self.metadata_test_tb_key)
@mock.patch('lib.utils.get_request')
def test_get_clip_names(self, mocked_method):
alias = self.cw .get_clip_names()
self.assertTrue(mocked_method.called)
@mock.patch('lib.utils.put_request')
def test_put_clip_metadata(self, mocked_method):
alias = self.cw .put_clip_metadata()
self.assertTrue(mocked_method.called)
def test_update_clip_status(self):
test_status = 'test'
self.cw.update_clip_status(test_status)
self.assertEqual(self.cw.metadata['status'], test_status)

30
code/aws/lambda-function/sqs-sns_example/tests/test_ffmpeg_wrapper.py Normal file
View file

@ -0,0 +1,30 @@
# -*- coding: utf-8 -*-
""" Ffmpeg Wrapper Test Module """
import lib.ffmpeg_wrapper
import unittest
class TestFfmpegWrapper(unittest.TestCase):
def setUp(self):
self.epoch_video = 1.535884819e+12
self.crop_start = '03:39.000'
self.crop_end = '13:01.000'
self.session_start_ms = '1535884600000'
self.session_end_ms = '1535885600000'
self.alias = 'test'
self.clipId = '1111111111111111'
self.clips = []
self.fw = lib.ffmpeg_wrapper.FfmpegWrapper(
self.alias, self.clips,
self.session_start_ms,
self.session_end_ms,
self.clipId)
def test_calculate_crop_time(self):
crop_start, crop_end = self.fw.calculate_trim_time(self.epoch_video)
print crop_start, crop_end, self.crop_end, self.crop_start
self.assertEqual(crop_end, self.crop_end)
self.assertEqual(crop_start, self.crop_start)

80
code/aws/lambda-function/sqs-sns_example/tests/test_utils.py Normal file
View file

@ -0,0 +1,80 @@
# -*- coding: utf-8 -*-
""" Utils Test Module """
import os
import json
import pytest
import unittest
import mock
import requests
import requests_mock
import lib.utils
fixtures_path = os.path.join(os.path.dirname(__file__), 'fixtures')
@pytest.fixture
def get_fixture(fixture_json):
get_sqs_event = os.path.join(fixtures_path, fixture_json)
with open(get_sqs_event, 'r') as f:
return json.load(f)
class TestClipGeneratorTrigger(unittest.TestCase):
def setUp(self):
self.domain = 'http://test.com'
self.endpoint = 'filetest.mp4'
self.file_url = 'http://test.com/filetest.mp4'
self.clipname = 'camtest.20180815T140019.mp4'
self.epoch_in_ms = 1535224400000
self.timestamp = '20180825T191320'
self.timestamp_format = '%Y%m%dT%H%M%S'
self.msecs = 1807
self.resp = {'test1': 'test2'}
def test_url_join(self):
self.assertEqual('http://test.com/filetest.mp4',
lib.utils.url_join(self.domain,
self.endpoint), msg=None)
def test_get_request(self):
with requests_mock.Mocker() as m:
m.get(self.file_url, json=self.resp)
self.assertTrue(lib.utils.get_request(self.domain, self.endpoint))
def test_get_basename_str(self):
self.assertEqual('filetest.mp4', lib.utils.get_basename_str(
self.file_url), msg=None)
def test_get_timestamp_str(self):
self.assertEqual('20180815T140019000',
lib.utils.get_timestamp_str(self.clipname), msg=None)
def test_get_location_str(self):
self.assertEqual('hbpiernscam', lib.utils.get_location_str(
self.clipname), msg=None)
def test_timestamp_to_epoch(self):
self.assertEqual(self.epoch_in_ms, lib.utils.timestamp_to_epoch(
self.timestamp, self.timestamp_format), msg=None)
def test_epoch_to_timestamp(self):
self.assertEqual(self.timestamp, lib.utils.epoch_to_timestamp(
self.epoch_in_ms, self.timestamp_format), msg=None)
def test_humanize_delta_time(self):
self.assertEqual(
'00:01.807', lib.utils.humanize_delta_time(self.msecs), msg=None)
@mock.patch('lib.utils.os.remove')
def test_remove_file(self, mocked_remove):
lib.utils.remove_file(self.clipname)
self.assertTrue(mocked_remove.called)
@mock.patch('lib.utils.subprocess.check_output')
def test_run_subprocess(self, mocked_subprocess):
lib.utils.run_subprocess(['ls'], 'ok', 'err')
self.assertTrue(mocked_subprocess.called)

23
code/chef/README.md Executable file
View file

@ -0,0 +1,23 @@
# resources on chef
<br>
## Suricata Chef Cookbook
This cookbook installs and configures Suricata.
## Usage
### suricata::default
* include `suricata` in your node's `run_list`:
```json
{
"name":"my_node",
"run_list": [
"recipe[suricata]"
]
}
```

1
code/chef/attributes/default.rb Executable file
View file

@ -0,0 +1 @@
default['suricata']['version'] = '3.1'

68
code/chef/files/default/classification.config Executable file
View file

@ -0,0 +1,68 @@
# $Id$
# classification.config taken from Snort 2.8.5.3. Snort is governed by the GPLv2
#
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2

25
code/chef/files/default/reference.config Executable file
View file

@ -0,0 +1,25 @@
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: bid http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: cve http://cvedetails.com/cve/
config reference: secunia http://www.secunia.com/advisories/
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: et http://doc.emergingthreats.net/
config reference: etpro http://doc.emergingthreatspro.com/
config reference: telus http://
config reference: osvdb http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5 http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia http://secunia.com/advisories/
config reference: xforce http://xforce.iss.net/xforce/xfdb/
config reference: msft http://technet.microsoft.com/security/bulletin/

33
code/chef/files/default/suricata_logrotate Executable file
View file

@ -0,0 +1,33 @@
/var/log/suricata/*.log
{
weekly
missingok
create
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/suricata.pid)
endscript
delaycompress
copytruncate
compresscmd /usr/bin/pigz
compress
dateext
notifempty
}
/var/log/suricata/eve.json
{
weekly
missingok
create
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/suricata.pid)
endscript
rotate 32
delaycompress
compresscmd /usr/bin/pigz
compress
dateext
notifempty
}

32
code/chef/files/default/threshold.config Executable file
View file

@ -0,0 +1,32 @@
# Thresholding:
#
# This feature is used to reduce the number of logged alerts for noisy rules.
# Thresholding commands limit the number of times a particular event is logged
# during a specified time interval.
#
# The syntax is the following:
#
# threshold gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
#
# event_filter gen_id <gen_id>, sig_id <sig_id>, type <limit|threshold|both>, track <by_src|by_dst>, count <n>, seconds <t>
#
# suppress gen_id <gid>, sig_id <sid>
# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet>
#
# The options are documented at https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds
#
# Please note that thresholding can also be set inside a signature. The interaction between rule based thresholds
# and global thresholds is documented here:
# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Global-Thresholds#Global-thresholds-vs-rule-thresholds
# Limit to 10 alerts every 10 seconds for each source host
#threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10
# Limit to 1 alert every 10 seconds for signature with sid 2404000
#threshold gen_id 1, sig_id 2404000, type threshold, track by_dst, count 1, seconds 10
# Avoid to alert on f-secure update
# Example taken from http://blog.inliniac.net/2012/03/07/f-secure-av-updates-and-suricata-ips/
#suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25
#suppress gen_id 1, sig_id 2012086, track by_src, ip 217.110.97.128/25
#suppress gen_id 1, sig_id 2003614, track by_src, ip 217.110.97.128/25

6
code/chef/metadata.rb Executable file
View file

@ -0,0 +1,6 @@
name 'suricata'
maintainer 'bt3'
license 'All rights reserved'
description 'Major suricata update to 3.1'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.3.52'

138
code/chef/recipes/centos.rb Executable file
View file

@ -0,0 +1,138 @@
# Cookbook Name:: suricata
# Recipe:: centos
#
# Variable Definitions
suropts = node[:suricata]
suricata_interface = suropts[:interface]
# Do we have multiple interfaces to listen on?
if suricata_interface.is_a? String
suricata_interface = [ suricata_interface ]
end
raise 'No suricata rules defined for this host' if suropts[:rules].nil?
rules = suropts[:rules]
# Setup
yum_package 'libcap-ng'
yum_package 'libhtp'
%w[ libmnl libnetfilter_queue ].each do |pkg|
yum_package pkg
end
# Install Suricata
yum_package 'suricata' do
notifies :restart, 'service[suricata]', :delayed
end
group 'suricata' do
gid 683
action :create
end
user 'suricata' do
comment 'suricata IDS user'
gid 683
shell '/sbin/nologin'
system true
action :create
end
if node[:platform_version][0] == '6'
template '/etc/init.d/suricata' do
mode 0555
owner 'root'
group 'root'
source 'suricata.init.erb'
variables({:interface => suricata_interface})
end
else
template '/etc/systemd/system/suricata.service' do
mode 0444
owner 'root'
group 'root'
source 'suricata.service.erb'
variables({:interface => suricata_interface})
end
end
cookbook_file '/etc/logrotate.d/suricata' do
source 'suricata_logrotate'
owner 'root'
group 'root'
mode 0644
end
# Set Rules Up
directory '/etc/suricata/rules' do
action :create
end
# Need to create these rules when time comes.
#template '/etc/suricata/rules/local.rules' do
# mode 0644
# owner 'root'
# group 'wheel'
# source 'centos/local.rules.erb'
#end
# Set and configurate Suricata for centos
magic_file = '/usr/share/file/magic'
service_name = 'suricata'
corpmacs = search(:node, 'roles:CorpMacDNS').map { |node| node['ipaddress'] }.sort!
template '/etc/suricata/suricata.yaml' do
mode 0644
source 'suricata.yaml.erb'
variables({:pcapinterface => suricata_interface,
:rules => rules,
:magic_file => magic_file,
:corpmacs => corpmacs})
notifies :restart, "service[#{service_name}]", :delayed
end
%w[ classification.config reference.config threshold.config ].each do |configfile|
cookbook_file "/etc/suricata/#{configfile}" do
source configfile
mode 0644
owner 'root'
end
end
# Setup logging
directory '/var/log/suricata/' do
owner 'root'
group 'suricata'
mode 0775
action :create
end
logfile_group = 'suricata'
if system('getent group splunk')
logfile_group = 'splunk'
end
%w[ fast.log outputs.log suricata.log tls.log eve.json ].each do |logfile|
file "/var/log/suricata/#{logfile}" do
mode 0640
owner 'suricata'
group logfile_group
end
end
# Start Suricata
service 'suricata' do
supports :status => true, :restart => true, :reload => true
action [ :enable, :start ]
end

25
code/chef/recipes/default.rb Executable file
View file

@ -0,0 +1,25 @@
#
# Cookbook Name:: suricata
# Recipe:: default
#
suropts = node[:suricata]
raise 'No suricata interface defined for this host' if suropts[:interface].nil?
suricata_interface = suropts[:interface]
# Do we have multiple interfaces to listen on?
if suricata_interface.is_a? String
suricata_interface = [ suricata_interface ]
end
# The list of rules to populate the yaml config with.
raise 'No suricata rules defined for this host' if suropts[:rules].nil?
rules = suropts[:rules]
case node[:platform]
when 'centos'
include_recipe 'suricata::centos'
else
include_recipe 'suricata::corpmac'
end

172
code/chef/recipes/mac.rb Executable file
View file

@ -0,0 +1,172 @@
# Cookbook Name:: suricata
# Recipe:: corpmac.rb
#
# Variable Definitions
suropts = node[:suricata]
raise 'No suricata interface defined for this host' if suropts[:interface].nil?
suricata_interface = suropts[:interface]
if suricata_interface.is_a? String
suricata_interface = [ suricata_interface ]
end
raise 'No suricata rules defined for this host' if suropts[:rules].nil?
rules = suropts[:rules]
# Setup
group 'suricata' do
gid 683
action :create
end
user 'suricata' do
comment 'suricata IDS user'
gid 683
shell '/sbin/nologin'
system true
action :create
end
# Install Suricata
package "libmagic" do
action :install
provider Chef::Provider::Package::Homebrew
end
homebrew_package "suricata" do
homebrew_user 'user'
action :install
end
directory '/etc/suricata/' do
action :create
end
# Set Rules Up
directory '/etc/suricata/rules' do
action :create
end
template '/etc/suricata/rules/local.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/local.rules.erb'
end
template '/etc/suricata/rules/shellcode.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/shellcode.rules.erb'
end
template '/etc/suricata/rules/osxmalware.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/osxmalware.rules.erb'
end
template '/etc/suricata/rules/nmap.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/nmap.rules.erb'
end
template '/etc/suricata/rules/mobilemalware.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/mobilemalware.rules.erb'
end
template '/etc/suricata/rules/emerging-exploit.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/emerging-exploit.rules.erb'
end
template '/etc/suricata/rules/emerging-shellcode.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/emerging-shellcode.rules.erb'
end
template '/etc/suricata/rules/dshield.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/dshield.rules.erb'
end
template '/etc/suricata/rules/compromised.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/compromised.rules.erb'
end
template '/etc/suricata/rules/tor.rules' do
mode 0644
owner 'root'
group 'wheel'
source 'mac_os_x/tor.rules.erb'
end
magic_file = '/usr/local/share/misc/magic.mgc'
include_recipe "logrotate::suricata_os_x"
service_name = 'com.host.suricata'
corpmacs = search(:node, 'roles:CorpMacDNS').map { |node| node['ipaddress'] }.sort!
template '/etc/suricata/suricata.yaml' do
mode 0644
source 'suricata.yaml.erb'
variables({:pcapinterface => suricata_interface,
:rules => rules,
:magic_file => magic_file,
:corpmacs => corpmacs})
notifies :restart, "service[#{service_name}]", :delayed
end
%w[ classification.config reference.config threshold.config ].each do |configfile|
cookbook_file "/etc/suricata/#{configfile}" do
source configfile
mode 0644
owner 'root'
end
end
# Setup logging
directory '/var/log/suricata/' do
owner 'root'
group 'suricata'
mode 0775
action :create
end
logfile_group = 'suricata'
if system('getent group splunk')
logfile_group = 'splunk'
end
# Start Suricata
service 'com.host.suricata' do
action [ :start ]
restart_command "kill -USR2 `cat /var/run/suricata.pid`"
end

86
code/chef/templates/centos/compromised.rules.erb Executable file
View file

@ -0,0 +1,86 @@
#
# $Id: emerging-compromised.rules
# Rules to block known hostile or compromised hosts. These lists are updated daily or better from many sources
#
#Sources include:
#
# Daniel Gerzo's BruteForceBlocker
# http://danger.rulez.sk/projects/bruteforceblocker/
#
# The OpenBL
# http://www.openbl.org/ (formerly sshbl.org)
#
# And the Emerging Threats Sandnet and SidReporter Projects
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 4467
# Generated 2017-09-22 00:30:02 EDT
alert ip [101.132.70.58,101.226.164.254,101.230.200.173,101.231.117.54,101.236.51.134,101.251.201.246,101.64.237.31,101.79.44.115,103.17.51.78,103.207.36.217,103.207.36.220,103.207.36.225,103.207.36.226,103.207.36.246,103.207.36.251,103.207.36.84,103.207.37.200,103.207.38.144,103.207.38.178,103.207.38.202,103.207.38.86,103.207.39.125,103.207.39.203,103.210.239.167,103.212.222.16,103.212.223.150,103.212.223.42,103.217.152.20,103.228.152.141,103.237.56.230] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4467;)
alert ip [103.27.239.143,103.28.38.74,103.45.5.85,103.53.77.118,103.69.219.46,103.71.255.27,103.73.86.76,103.79.142.18,103.89.88.138,103.89.88.147,103.89.88.168,103.89.88.64,103.89.88.86,103.89.88.95,103.89.88.98,103.89.90.28,103.90.226.162,103.9.156.251,104.130.138.184,104.131.40.115,104.131.41.77,104.131.73.27,104.154.89.43,104.168.235.233,104.192.3.34,104.192.3.46,104.193.10.228,104.198.193.205,104.203.45.174,104.211.183.174] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500002; rev:4467;)
alert ip [104.218.140.228,104.223.123.98,104.238.95.233,104.244.77.64,104.244.78.156,104.37.214.97,104.42.197.23,105.209.67.118,105.225.167.218,106.112.59.106,106.172.82.195,106.247.22.57,106.254.62.123,106.38.252.50,106.39.70.232,106.39.93.84,106.51.1.164,106.51.44.4,106.57.168.64,106.75.134.62,106.75.143.3,106.75.48.185,106.75.71.224,107.132.53.129,107.167.184.140,107.175.145.42,108.14.52.60,108.162.151.203,108.172.246.196,108.172.71.183] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500004; rev:4467;)
alert ip [108.173.38.92,108.180.129.213,108.208.120.134,108.48.123.223,108.58.41.139,108.61.166.208,109.110.63.131,109.171.3.184,109.195.1.224,109.204.44.230,109.205.136.10,109.206.50.173,109.230.0.69,109.30.27.127,109.98.100.108,110.200.221.235,110.20.113.244,110.228.34.174,110.45.165.12,110.45.244.113,110.8.188.38,111.119.197.73,111.122.211.147,111.125.89.10,111.127.116.215,111.194.196.27,111.204.175.228,111.205.121.92,111.206.115.107,111.231.194.103] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500006; rev:4467;)
alert ip [111.26.139.65,111.26.182.3,111.39.46.47,111.89.5.185,112.101.172.18,112.148.101.13,112.161.232.55,112.4.81.93,112.5.140.230,112.64.33.92,112.81.182.17,112.82.237.169,113.105.152.226,113.116.60.141,113.122.140.67,113.124.141.122,113.124.141.48,113.141.70.163,113.178.66.10,113.179.135.18,113.195.226.160,113.200.203.102,113.201.169.192,113.247.233.90,113.252.218.53,113.252.222.216,113.57.160.51,113.77.11.29,114.112.65.226,114.113.101.107] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500008; rev:4467;)
alert ip [114.207.102.52,114.34.101.101,115.159.152.47,115.195.208.191,115.209.180.49,115.213.144.133,115.231.8.12,115.231.94.238,115.236.47.25,115.236.47.27,115.249.75.29,115.25.138.222,115.68.3.153,116.101.123.47,116.101.17.10,116.107.220.24,116.107.221.141,116.107.223.107,116.15.8.12,116.196.108.252,116.196.84.88,116.231.57.98,116.246.11.101,1.164.9.109,116.62.155.36,117.107.159.144,117.146.60.13,117.18.105.172,117.2.123.42,117.48.194.129] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500010; rev:4467;)
alert ip [117.79.147.217,118.140.111.22,118.144.138.200,118.144.138.203,118.151.209.235,118.165.126.206,118.179.220.203,118.180.18.102,118.186.21.234,118.186.36.50,118.221.123.174,118.221.201.81,118.244.238.14,118.244.238.18,118.244.238.19,118.244.238.4,118.26.170.129,118.32.27.85,118.34.18.148,118.89.239.137,119.14.160.126,119.146.201.177,119.192.239.231,119.195.208.150,119.197.4.164,119.236.181.148,119.254.153.43,119.44.217.220,119.52.229.151,120.132.113.76] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500012; rev:4467;)
alert ip [120.132.113.82,120.132.113.84,120.132.113.85,120.132.14.35,120.132.30.150,1.202.166.74,120.234.5.228,120.237.101.134,120.52.118.33,120.52.56.152,120.77.204.253,120.83.5.28,120.89.29.132,1.209.148.74,120.92.74.178,120.92.85.3,121.12.120.171,121.129.186.183,121.159.89.132,121.160.21.13,121.177.23.189,121.194.2.248,121.201.18.228,121.35.209.94,121.46.31.50,121.56.147.48,121.78.87.138,121.8.107.234,121.96.57.204,122.114.213.144] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500014; rev:4467;)
alert ip [122.117.90.221,122.146.46.145,122.207.17.20,122.224.144.131,122.228.196.166,122.228.249.84,122.243.182.219,122.46.210.188,122.72.22.132,123.122.123.172,123.132.243.89,123.134.87.51,123.150.101.229,123.150.108.238,123.16.84.49,123.169.170.158,123.169.192.151,123.169.192.77,123.169.200.247,123.171.114.246,123.184.35.48,123.196.120.135,123.207.236.127,123.207.242.81,123.247.9.244,123.249.20.27,123.249.20.31,1.234.4.14,123.96.186.129,123.96.49.127] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500016; rev:4467;)
alert ip [124.117.241.152,1.241.184.143,124.135.31.202,124.205.195.3,124.207.190.60,124.251.36.75,124.42.66.91,124.61.247.61,124.67.81.2,124.90.206.204,125.100.114.3,125.121.111.64,125.123.155.119,125.130.103.130,125.208.29.140,125.212.253.176,125.34.210.238,125.75.207.25,126.25.84.195,128.199.112.13,128.199.62.192,1.28.86.194,129.121.178.56,129.125.75.199,131.255.6.32,132.148.133.186,133.232.74.108,134.19.181.20,13.54.136.89,13.59.109.162] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500018; rev:4467;)
alert ip [136.144.156.254,137.186.227.52,137.44.3.243,13.75.158.218,13.76.245.100,137.74.6.238,13.81.217.61,138.197.101.38,138.197.103.4,13.84.188.226,138.68.239.21,138.68.5.130,139.159.220.163,139.219.103.115,139.219.190.2,139.219.70.7,139.255.93.122,139.5.71.112,139.59.123.240,139.59.123.37,139.59.18.218,139.99.104.118,140.114.75.64,140.207.213.31,140.207.2.182,140.255.69.150,140.255.99.4,141.105.69.248,14.163.184.137,14.166.71.61] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500020; rev:4467;)
alert ip [14.169.1.86,14.177.68.22,14.198.124.91,14.204.87.108,14.228.254.184,14.235.138.51,14.29.118.197,14.34.27.163,144.0.242.178,144.217.128.26,144.217.146.49,144.48.168.8,145.249.106.104,14.58.109.187,14.58.118.69,146.148.108.195,14.63.165.247,147.135.136.81,147.135.226.50,147.178.194.71,149.56.128.14,149.56.180.126,149.56.223.104,151.84.133.210,152.149.59.147,152.204.2.160,153.127.194.180,153.166.65.77,154.0.165.125,154.0.169.254] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500022; rev:4467;)
alert ip [155.133.82.12,156.67.106.30,157.7.137.248,159.203.102.134,159.203.104.139,159.203.66.209,159.203.68.222,159.203.90.141,159.203.93.23,159.224.62.130,159.226.162.195,160.202.161.28,160.202.161.30,160.3.126.165,162.223.162.11,162.223.162.62,162.243.170.180,162.253.41.66,162.253.42.106,163.172.118.208,163.172.119.32,163.172.125.238,163.172.135.37,163.172.167.129,163.172.170.212,163.172.174.231,163.172.200.128,163.172.223.87,163.172.48.201,163.172.67.180] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500024; rev:4467;)
alert ip [164.132.51.91,164.177.113.231,165.227.109.171,165.227.124.196,165.227.124.86,165.227.144.103,166.111.131.71,166.62.40.246,167.114.61.195,167.250.73.80,168.1.128.133,168.235.102.145,168.235.89.230,168.70.82.160,169.50.107.11,169.50.86.185,169.50.86.187,169.50.86.188,169.50.86.190,169.50.86.191,170.250.90.139,171.234.231.115,171.245.13.106,171.25.165.26,173.0.52.106,173.16.233.5,173.166.99.116,173.198.206.107,173.212.222.115,173.214.175.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500026; rev:4467;)
alert ip [173.254.233.195,173.63.215.158,174.100.60.23,174.138.80.41,175.125.93.32,175.126.232.29,175.139.173.1,175.156.152.231,175.207.20.177,175.99.86.177,176.105.180.147,176.126.252.11,176.162.154.1,176.9.156.75,177.11.50.67,177.155.104.44,177.182.109.43,177.201.127.209,177.240.165.184,177.55.160.207,177.55.98.244,177.67.82.109,177.99.236.237,178.124.171.187,178.159.36.6,178.159.37.11,178.170.172.85,178.17.173.74,178.238.239.123,178.239.62.109] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500028; rev:4467;)
alert ip [178.62.34.57,178.62.95.5,178.73.195.109,178.93.174.229,179.159.163.243,179.198.1.41,179.41.195.194,180.101.143.2,180.150.224.2,180.150.224.4,180.153.151.93,180.153.19.139,180.166.22.98,180.168.166.121,180.168.76.230,180.169.129.228,180.175.55.213,180.76.140.154,180.76.150.192,180.76.165.244,181.168.78.160,181.214.205.130,181.214.87.4,181.26.141.193,182.126.102.242,182.163.126.241,182.18.153.206,182.245.29.89,182.253.226.82,182.253.66.2] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500030; rev:4467;)
alert ip [182.36.201.180,182.38.118.131,182.45.108.45,182.45.43.33,182.45.45.24,18.248.2.85,183.136.188.116,183.152.50.38,183.152.95.93,183.214.148.89,183.239.228.51,183.87.56.75,183.91.0.68,184.149.38.74,185.100.84.108,185.107.94.40,185.140.120.153,185.156.173.106,185.165.29.111,185.165.29.116,185.165.29.122,185.165.29.128,185.165.29.23,185.165.29.50,185.165.29.69,185.165.29.77,185.165.29.78,185.168.242.215,185.200.35.233,185.200.35.3] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500032; rev:4467;)
alert ip [185.2.82.45,185.48.207.32,185.55.218.100,185.55.218.34,185.55.218.95,185.56.81.2,185.67.3.144,185.74.36.30,185.8.50.36,186.227.226.158,186.227.234.116,186.4.156.124,187.177.120.75,187.18.54.167,187.18.58.193,187.189.153.69,187.22.231.227,187.84.3.188,188.0.67.184,188.120.254.159,188.121.2.243,188.121.26.102,188.152.201.116,188.165.230.6,188.166.175.211,188.166.34.129,188.187.121.39,188.190.59.137,188.243.168.56,189.114.229.185] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500034; rev:4467;)
alert ip [189.169.197.102,189.224.143.228,189.28.12.34,189.39.120.230,189.55.139.237,190.107.225.54,190.107.81.2,190.110.88.164,190.110.89.82,190.110.90.118,190.110.91.217,190.110.94.208,190.110.94.97,190.116.182.154,190.174.203.127,190.196.156.134,190.197.53.146,190.205.38.222,190.210.244.236,190.215.115.50,190.45.3.201,190.48.135.240,190.85.6.90,190.97.205.89,190.98.207.226,191.101.235.232,191.96.112.105,191.96.112.106,191.96.112.107,191.96.112.111] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500036; rev:4467;)
alert ip [191.96.112.112,191.96.249.114,191.96.249.145,191.96.249.156,191.96.249.38,191.96.249.82,192.129.162.2,192.241.225.16,192.248.87.22,193.104.205.177,193.111.63.192,193.201.224.208,193.201.224.212,193.201.224.214,193.201.224.216,193.201.224.218,193.201.224.232,193.34.144.30,193.40.7.6,193.93.217.142,194.105.205.42,194.213.34.106,194.2.209.2,194.33.76.162,195.154.255.158,195.154.34.127,195.154.37.186,195.154.55.131,195.171.242.187,195.22.126.177] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500038; rev:4467;)
alert ip [195.225.224.38,195.62.53.126,196.52.32.17,197.231.221.211,198.12.152.136,198.167.136.101,198.199.112.44,198.199.113.122,198.211.121.75,198.24.186.34,198.255.146.211,198.98.50.113,198.98.51.117,198.98.57.188,198.98.57.32,198.98.59.151,198.98.60.112,198.98.60.239,198.98.60.72,198.98.61.180,198.98.61.33,199.168.100.164,199.195.248.31,199.195.249.132,199.195.250.64,199.27.250.119,199.76.14.51,200.17.252.12,200.56.109.119,200.68.66.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500040; rev:4467;)
alert ip [201.144.84.82,201.178.158.127,201.178.184.127,201.193.197.106,201.232.89.209,201.249.207.212,201.48.226.19,202.107.104.119,202.108.199.14,202.129.207.109,202.131.237.149,202.201.64.102,202.29.153.142,202.55.93.98,202.73.50.214,202.80.184.2,202.85.222.225,203.126.140.172,203.128.73.185,203.174.85.138,203.195.160.105,203.215.172.170,203.254.127.19,203.80.94.137,203.86.69.132,204.152.209.14,204.188.251.130,205.185.113.181,207.138.132.44,207.195.19.153] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500042; rev:4467;)
alert ip [207.81.165.45,208.66.77.245,208.98.22.130,209.10.82.200,209.15.218.187,209.188.19.226,209.213.170.114,209.239.114.231,209.239.123.90,209.243.10.198,209.92.176.105,209.92.176.114,210.140.10.72,210.212.210.86,210.245.32.72,210.84.44.200,210.94.133.8,211.110.139.215,211.168.232.5,211.195.14.39,211.215.174.144,211.216.123.97,211.226.176.47,211.249.35.203,211.249.35.205,211.57.201.184,211.64.35.129,212.109.221.169,212.129.13.232,212.129.59.195] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500044; rev:4467;)
alert ip [212.143.128.139,212.159.139.204,212.237.37.123,212.237.40.247,212.237.40.48,212.237.41.114,212.237.42.218,212.237.42.252,212.237.42.61,212.237.43.138,212.237.43.44,212.237.44.26,212.237.45.105,212.237.45.188,212.237.45.212,212.237.45.84,212.237.46.210,212.47.243.174,212.47.250.7,212.51.189.201,212.83.136.196,212.83.141.81,212.83.147.105,212.85.202.67,213.113.215.115,213.136.81.74,213.136.94.221,213.149.105.28,213.32.69.137,213.74.201.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500046; rev:4467;)
alert ip [213.74.55.250,213.78.109.14,216.168.110.244,216.223.112.22,216.245.209.78,216.98.212.11,217.111.170.195,217.170.205.103,217.23.138.22,217.23.15.165,217.46.196.74,217.57.147.180,217.61.18.106,217.65.2.116,218.103.98.209,218.106.244.93,218.108.206.56,218.148.4.24,218.15.163.100,218.156.193.236,218.2.15.138,218.28.55.134,218.29.188.109,218.32.45.19,218.52.219.225,218.5.76.147,218.63.248.173,218.79.14.243,218.9.118.187,219.116.11.89] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500048; rev:4467;)
alert ip [219.159.249.219,219.221.10.99,219.239.227.252,219.239.227.253,220.130.148.106,220.149.235.114,220.72.146.117,220.85.152.96,221.135.104.112,221.145.110.21,221.148.106.180,221.163.191.92,221.192.4.18,222.107.38.1,222.161.37.110,222.220.93.11,222.237.36.38,222.38.230.2,222.73.12.22,2.228.167.211,222.84.159.196,222.91.125.174,222.99.52.246,223.112.4.242,223.112.77.186,223.112.87.85,223.166.92.4,223.30.251.140,223.68.134.29,2.24.131.203] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500050; rev:4467;)
alert ip [23.129.64.12,23.30.57.83,24.119.126.64,24.46.10.22,24.80.229.169,24.87.106.109,2.50.47.6,27.118.21.218,27.16.159.23,27.19.1.251,27.210.14.232,27.219.169.241,27.255.65.189,27.255.79.21,27.255.79.7,27.54.162.253,27.64.38.194,27.73.14.63,27.73.87.164,31.172.247.106,31.172.80.188,31.173.128.149,31.207.47.53,31.37.37.187,35.162.178.210,35.190.149.252,35.193.213.56,35.193.231.245,35.199.187.166,36.67.37.95] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500052; rev:4467;)
alert ip [36.7.87.34,37.221.242.40,37.49.224.119,37.49.225.93,37.57.17.101,39.108.169.46,40.113.22.5,40.121.158.5,40.121.221.115,40.69.164.199,40.71.206.237,40.71.222.21,40.71.82.183,40.83.253.82,40.83.255.188,40.86.186.117,41.190.93.225,41.210.160.3,41.76.226.88,41.77.222.57,41.78.78.66,42.112.26.24,42.115.138.8,42.159.204.117,42.159.249.108,42.159.250.5,42.55.73.197,42.62.73.85,42.93.81.115,42.94.140.79] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500054; rev:4467;)
alert ip [45.116.80.242,45.249.247.80,45.251.43.189,45.32.236.123,45.32.39.134,45.32.47.58,45.32.60.87,45.55.186.166,45.55.216.145,45.55.4.137,45.56.30.99,45.63.104.148,45.63.35.50,45.76.104.223,45.76.186.62,45.76.198.131,45.76.216.217,45.76.218.238,45.76.220.58,45.76.221.116,45.76.223.152,45.76.53.82,45.79.200.100,46.101.9.80,46.148.20.25,46.164.186.33,46.165.223.217,46.166.185.14,46.17.44.94,46.183.217.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500056; rev:4467;)
alert ip [46.18.3.47,46.188.19.235,46.39.222.2,46.41.134.10,46.4.71.142,46.6.48.15,47.154.229.1,47.22.51.154,47.90.201.99,47.90.202.171,47.90.204.225,47.92.158.26,47.93.223.84,49.116.146.210,49.176.210.112,49.177.224.46,49.207.182.120,49.236.203.74,49.248.152.178,49.51.37.225,50.115.166.21,50.115.166.22,50.116.55.19,50.117.38.106,50.117.86.160,50.118.255.159,50.19.160.96,50.226.124.68,50.247.173.145,50.248.163.25] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500058; rev:4467;)
alert ip [50.62.56.171,5.101.40.37,5.101.40.38,5.101.40.62,5.102.224.212,51.15.141.220,51.15.39.26,51.15.64.212,51.254.101.200,51.254.34.30,51.255.202.66,5.135.21.155,5.135.212.153,5.188.10.156,5.188.10.175,5.188.10.176,5.188.10.178,5.188.10.179,5.188.10.180,5.188.10.182,5.189.153.129,52.124.71.138,52.144.39.97,52.165.220.242,52.166.112.31,52.168.179.155,52.168.180.139,52.187.131.166,5.226.174.124,5.249.146.145] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500060; rev:4467;)
alert ip [52.64.87.237,52.88.81.95,5.39.217.25,54.245.26.231,5.79.105.11,5.8.18.184,5.8.18.190,58.187.120.180,58.218.213.65,58.221.249.102,58.227.192.158,58.241.120.6,58.242.74.231,58.246.118.252,58.249.54.22,58.30.96.130,58.30.96.133,58.30.96.143,58.46.245.50,58.62.144.229,59.12.201.230,59.13.69.5,59.15.95.50,59.16.74.234,59.175.153.94,59.19.177.128,59.27.218.55,59.49.46.60,59.56.69.126,60.12.229.225] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500062; rev:4467;)
alert ip [60.124.22.115,60.13.74.216,60.176.158.242,60.206.137.145,60.208.139.180,60.222.116.99,61.147.68.166,61.161.143.179,61.164.46.188,61.176.218.19,61.197.164.161,61.216.155.200,61.216.38.102,61.219.149.59,61.240.159.244,61.8.249.89,62.152.32.179,62.164.145.253,62.210.130.150,62.210.15.114,62.210.169.48,62.210.97.105,62.219.209.70,62.64.154.18,62.76.177.98,62.76.185.15,62.76.187.122,62.76.191.87,62.76.42.249,62.76.42.62] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500064; rev:4467;)
alert ip [62.76.42.99,62.76.44.35,63.135.10.242,64.113.32.29,64.137.192.185,64.50.176.226,64.59.144.120,64.66.226.188,64.71.135.233,65.130.73.219,66.201.100.124,66.35.51.195,66.35.51.198,66.58.155.50,66.58.199.149,66.76.143.225,66.96.203.242,67.205.138.240,67.205.185.191,69.131.92.126,71.230.124.219,72.34.55.130,72.35.252.25,73.207.67.124,73.223.158.230,73.231.34.71,73.235.81.87,73.32.240.93,74.208.155.102,74.208.45.40] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500066; rev:4467;)
alert ip [74.52.53.204,76.164.197.48,76.191.17.120,76.74.219.170,76.8.60.134,77.105.1.80,77.123.76.69,77.242.132.150,77.72.82.171,77.72.82.199,77.72.83.249,77.72.85.100,77.81.226.157,78.113.206.194,78.129.10.146,78.138.91.6,78.146.59.79,78.188.21.107,78.195.178.119,78.203.141.125,78.203.248.197,78.211.73.147,78.224.40.128,78.245.236.138,78.43.104.193,78.47.64.211,79.106.161.36,79.137.39.158,79.143.191.24,79.148.105.88] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500068; rev:4467;)
alert ip [79.46.205.166,80.11.28.58,80.14.151.90,80.211.226.174,80.211.231.211,80.211.232.174,80.216.42.120,80.243.184.26,80.26.255.232,80.77.43.49,80.82.64.203,80.98.98.181,81.137.199.29,81.143.231.26,81.167.233.182,81.169.143.207,81.171.24.61,81.171.58.49,81.171.85.84,81.17.30.208,81.17.31.250,81.57.126.72,81.95.140.244,82.102.216.128,82.127.48.23,82.185.231.221,82.193.124.36,82.202.245.51,82.211.49.197,82.213.2.18] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500070; rev:4467;)
alert ip [82.228.240.199,82.246.170.196,82.6.131.182,82.98.139.229,83.209.114.167,83.220.169.203,83.246.164.83,84.105.201.12,84.107.154.75,84.200.7.180,84.237.16.110,84.55.161.158,85.195.226.180,85.195.48.166,85.230.149.52,85.247.95.85,85.90.210.87,86.109.170.96,86.164.122.219,86.57.164.109,86.57.168.86,86.88.141.158,87.106.71.197,87.126.129.215,87.85.170.35,88.127.227.155,88.147.17.251,88.212.206.44,88.99.38.116,89.108.109.46] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500072; rev:4467;)
alert ip [89.108.87.179,89.212.50.176,89.216.97.113,89.225.201.101,89.239.24.62,89.250.84.2,89.251.98.4,89.38.98.6,89.38.98.66,89.87.178.129,90.137.13.61,90.176.140.1,90.84.45.108,91.121.117.6,91.121.14.122,91.134.133.251,91.134.214.132,91.197.232.103,91.197.232.109,92.113.108.27,92.177.78.25,92.220.16.32,92.222.77.85,92.87.236.139,92.87.236.17,92.87.236.189,93.103.212.84,93.170.190.94,93.171.247.91,93.174.89.85] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500074; rev:4467;)
alert ip [93.174.93.10,93.174.93.71,93.174.94.253,93.190.140.112,93.212.109.60,93.42.185.41,94.102.51.26,94.177.207.42,94.177.217.169,94.177.218.163,94.177.244.134,94.200.147.213,94.231.4.132,94.231.82.19,94.23.210.41,94.23.59.133,94.74.81.29,95.110.224.97,95.169.50.213,95.179.32.4,95.213.202.178,95.215.62.242,95.240.135.79,95.85.25.122,96.22.196.161,96.231.43.95,96.239.59.131,96.33.76.87,98.110.245.232,98.160.239.31] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500076; rev:4467;)

73
code/chef/templates/centos/drop.rules.erb Executable file
View file

@ -0,0 +1,73 @@
#
# $Id: emerging-drop.rules $
# Emerging Threats Spamhaus DROP List rules.
#
# Rules to block Spamhaus DROP listed networks (www.spamhaus.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 2619
# Generated 2017-09-17 00:05:01 EDT
alert ip [5.134.128.0/19,5.157.0.0/18,14.4.0.0/14,23.226.48.0/20,23.246.128.0/18,23.251.224.0/19,24.51.0.0/19,24.233.0.0/19,27.126.160.0/20,31.11.43.0/24,31.184.238.0/24,31.222.200.0/21,36.0.8.0/21,36.37.48.0/20,36.93.0.0/16,36.116.0.0/16,36.119.0.0/16,36.255.212.0/22,37.18.42.0/24,37.139.49.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2619;)
alert ip [42.1.56.0/22,42.1.128.0/17,42.52.0.0/14,42.83.80.0/22,42.96.0.0/18,42.123.36.0/22,42.128.0.0/12,42.160.0.0/12,42.194.8.0/22,42.194.12.0/22,42.194.128.0/17,42.208.0.0/12,43.229.52.0/22,43.236.0.0/16,43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,43.252.180.0/22,45.4.128.0/22,45.4.136.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2619;)
alert ip [46.29.248.0/22,46.29.248.0/21,46.151.48.0/21,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,46.243.173.0/24,49.8.0.0/14,49.238.64.0/18,59.254.0.0/15,60.233.0.0/16,61.11.224.0/19,61.13.128.0/17,61.14.224.0/22,61.45.251.0/24,66.98.112.0/20,66.231.64.0/20,67.213.112.0/20,67.213.136.0/21,67.219.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2619;)
alert ip [79.110.17.0/24,79.110.18.0/24,79.110.19.0/24,79.110.25.0/24,79.173.104.0/21,83.175.0.0/18,84.238.160.0/22,85.93.5.0/24,85.121.39.0/24,86.55.40.0/23,86.55.42.0/23,91.194.254.0/23,91.200.12.0/22,91.200.248.0/22,91.207.4.0/22,91.209.12.0/24,91.212.104.0/24,91.212.124.0/24,91.213.126.0/24,91.217.10.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2619;)
alert ip [91.230.252.0/23,91.234.36.0/24,91.235.2.0/24,91.236.74.0/23,91.238.82.0/24,91.240.165.0/24,93.179.89.0/24,93.179.90.0/24,93.179.91.0/24,95.216.0.0/15,101.192.0.0/14,101.202.0.0/16,101.203.128.0/19,101.248.0.0/15,101.252.0.0/15,103.2.44.0/22,103.16.76.0/24,103.23.8.0/22,103.36.64.0/22,103.57.248.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2619;)
alert ip [103.197.8.0/22,103.205.84.0/22,103.207.160.0/22,103.210.12.0/22,103.215.80.0/22,103.227.4.0/22,103.228.8.0/22,103.229.36.0/22,103.229.40.0/22,103.230.144.0/22,103.231.84.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.56.0/22,104.36.184.0/22,104.153.96.0/21,104.153.112.0/21,104.153.244.0/22,104.160.224.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2619;)
alert ip [104.245.248.0/21,104.255.56.0/21,108.166.224.0/19,110.172.64.0/18,114.118.0.0/17,115.166.136.0/22,116.78.0.0/15,116.119.0.0/17,116.128.0.0/10,116.144.0.0/15,116.146.0.0/15,116.197.156.0/22,116.206.16.0/22,117.58.0.0/17,117.120.64.0/18,119.42.52.0/22,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2619;)
alert ip [124.70.0.0/15,124.157.0.0/18,124.242.0.0/16,125.31.192.0/18,125.58.0.0/18,125.169.0.0/16,128.13.0.0/16,128.85.0.0/16,128.94.0.0/16,128.168.0.0/16,128.188.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.72.208.0/22,131.108.16.0/22,131.108.232.0/22,131.200.0.0/16,134.18.0.0/16,134.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2619;)
alert ip [134.209.0.0/16,136.230.0.0/16,137.19.0.0/16,137.33.0.0/16,137.55.0.0/16,137.76.0.0/16,137.105.0.0/16,137.171.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.36.148.0/22,138.43.0.0/16,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.120.0/22,138.94.144.0/22,138.94.216.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2619;)
alert ip [138.216.0.0/16,138.228.0.0/16,138.249.0.0/16,139.45.0.0/16,139.136.0.0/16,139.188.0.0/16,140.143.128.0/17,140.167.0.0/16,141.94.0.0/15,141.101.132.0/24,141.101.201.0/24,141.136.22.0/24,141.136.27.0/24,141.178.0.0/16,141.253.0.0/16,142.4.160.0/19,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.64.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2619;)
alert ip [147.7.0.0/16,147.16.0.0/14,147.119.0.0/16,148.111.0.0/16,148.148.0.0/16,148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.109.0.0/16,149.114.0.0/16,149.118.0.0/16,149.143.64.0/18,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.107.106.0/23,150.107.220.0/22,150.121.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2619;)
alert ip [150.242.36.0/22,150.242.100.0/22,150.242.120.0/22,150.242.144.0/22,151.123.0.0/16,151.192.0.0/16,151.212.0.0/16,151.237.176.0/20,151.237.184.0/22,152.109.0.0/16,152.136.0.0/16,152.147.0.0/16,153.14.0.0/16,153.52.0.0/14,153.93.0.0/16,155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.73.0.0/16,155.108.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2619;)
alert ip [157.195.0.0/16,157.231.0.0/16,157.232.0.0/16,158.54.0.0/16,158.90.0.0/17,158.249.0.0/16,159.65.0.0/16,159.80.0.0/16,159.85.0.0/16,159.111.0.0/16,159.151.0.0/16,159.174.0.0/16,159.219.0.0/16,159.223.0.0/16,159.229.0.0/16,160.14.0.0/16,160.21.0.0/16,160.117.0.0/16,160.180.0.0/16,160.181.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2619;)
alert ip [161.0.68.0/22,161.66.0.0/16,161.70.0.0/16,161.71.0.0/16,161.189.0.0/16,161.232.0.0/16,162.208.124.0/22,162.212.188.0/22,162.213.128.0/22,162.213.232.0/22,162.219.32.0/21,162.222.148.0/22,162.245.124.0/22,162.254.72.0/21,163.47.19.0/24,163.50.0.0/16,163.53.247.0/24,163.59.0.0/16,163.250.0.0/16,163.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2619;)
alert ip [165.192.0.0/16,165.205.0.0/16,165.209.0.0/16,166.117.0.0/16,167.74.0.0/18,167.87.0.0/16,167.97.0.0/16,167.103.0.0/16,167.158.0.0/16,167.162.0.0/16,167.175.0.0/16,167.224.0.0/19,168.64.0.0/16,168.90.108.0/22,168.129.0.0/16,168.181.52.0/22,170.67.0.0/16,170.113.0.0/16,170.114.0.0/16,170.120.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2619;)
alert ip [172.96.16.0/22,172.103.40.0/21,172.103.64.0/18,173.228.160.0/19,173.246.160.0/19,175.103.64.0/18,176.61.136.0/22,176.61.136.0/21,176.65.128.0/19,176.97.116.0/22,177.36.16.0/20,177.74.160.0/20,177.91.0.0/22,177.234.136.0/21,178.16.80.0/20,178.216.48.0/21,179.42.64.0/19,180.178.192.0/18,180.236.0.0/14,181.118.32.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2619;)
alert ip [185.35.136.0/22,185.46.84.0/22,185.50.250.0/24,185.50.251.0/24,185.64.20.0/22,185.68.156.0/22,185.72.68.0/22,185.93.185.0/24,185.93.187.0/24,185.103.72.0/22,185.106.94.0/24,185.127.24.0/22,185.129.148.0/23,185.132.4.0/22,185.133.20.0/22,185.134.20.0/22,185.135.184.0/22,185.137.219.0/24,185.141.188.0/22,185.146.20.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2619;)
alert ip [185.149.112.0/22,185.150.84.0/22,185.151.48.0/22,185.151.60.0/22,185.152.36.0/22,185.152.248.0/22,185.154.20.0/22,185.155.52.0/22,185.156.88.0/21,185.156.92.0/22,185.159.36.0/22,185.159.37.0/24,185.159.68.0/22,185.166.216.0/22,185.167.116.0/22,185.171.120.0/22,185.173.44.0/22,185.175.140.0/22,185.180.124.0/22,185.184.192.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2619;)
alert ip [185.198.212.0/22,185.202.88.0/22,185.204.236.0/22,185.205.68.0/22,185.208.128.0/22,186.1.128.0/19,186.65.112.0/20,186.96.96.0/19,188.72.96.0/24,188.72.126.0/24,188.72.127.0/24,188.172.160.0/19,188.239.128.0/18,188.247.135.0/24,188.247.230.0/24,189.213.128.0/17,190.2.208.0/21,190.9.48.0/21,190.99.80.0/21,190.123.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2619;)
alert ip [192.40.29.0/24,192.43.153.0/24,192.43.154.0/23,192.43.156.0/22,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.46.192.0/18,192.54.110.0/24,192.67.16.0/24,192.67.160.0/22,192.86.85.0/24,192.88.74.0/24,192.100.142.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2619;)
alert ip [192.158.51.0/24,192.160.44.0/24,192.190.49.0/24,192.190.97.0/24,192.195.150.0/24,192.197.87.0/24,192.203.252.0/24,192.206.114.0/24,192.206.183.0/24,192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.225.96.0/20,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,193.9.158.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2619;)
alert ip [193.177.64.0/18,193.243.0.0/17,194.1.152.0/24,194.29.185.0/24,195.182.57.0/24,195.190.13.0/24,195.191.56.0/23,195.191.102.0/23,195.225.176.0/22,196.1.109.0/24,196.42.128.0/17,196.61.240.0/20,196.63.0.0/16,196.164.0.0/15,196.193.0.0/16,196.196.0.0/16,196.197.0.0/16,196.198.0.0/16,196.199.0.0/16,196.240.0.0/15] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2619;)
alert ip [198.13.0.0/20,198.14.128.0/19,198.14.160.0/19,198.20.16.0/20,198.44.192.0/20,198.45.32.0/20,198.45.64.0/19,198.56.64.0/18,198.57.64.0/20,198.62.70.0/24,198.62.76.0/24,198.96.224.0/20,198.99.117.0/24,198.102.222.0/24,198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2619;)
alert ip [198.179.22.0/24,198.181.64.0/19,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24,198.186.208.0/24,198.187.64.0/18,198.187.192.0/24,198.190.173.0/24,198.199.212.0/24,198.202.237.0/24,198.204.0.0/21,198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.10.64.0/24,199.26.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2619;)
alert ip [199.58.248.0/21,199.60.102.0/24,199.71.56.0/21,199.71.192.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19,199.87.208.0/21,199.88.32.0/20,199.88.48.0/22,199.89.16.0/20,199.89.198.0/24,199.120.163.0/24,199.165.32.0/19,199.166.200.0/22,199.184.82.0/24,199.185.192.0/20,199.196.192.0/19,199.198.160.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2619;)
alert ip [199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24,199.246.215.0/24,199.248.64.0/18,199.249.64.0/19,199.253.32.0/20,199.253.48.0/21,199.253.224.0/20,199.254.32.0/20,200.0.60.0/23,200.3.128.0/20,200.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2619;)
alert ip [202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24,202.39.112.0/20,202.40.32.0/19,202.40.64.0/18,202.68.0.0/18,202.86.0.0/22,202.148.32.0/20,202.148.176.0/20,202.183.0.0/19,202.189.80.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2619;)
alert ip [203.34.252.0/23,203.86.252.0/22,203.148.80.0/22,203.149.92.0/22,203.169.0.0/22,203.189.112.0/22,203.191.64.0/18,204.19.38.0/23,204.44.32.0/20,204.44.192.0/20,204.44.224.0/20,204.48.16.0/20,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24,204.75.228.0/24,204.80.198.0/24,204.86.16.0/20,204.87.199.0/24,204.89.224.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2619;)
alert ip [204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.187.155.0/24,204.187.156.0/22,204.187.160.0/19,204.187.192.0/19,204.187.224.0/20,204.187.240.0/21,204.187.248.0/22,204.187.252.0/23,204.187.254.0/24,204.194.64.0/21,204.194.184.0/21,204.225.16.0/20,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2619;)
alert ip [205.144.176.0/20,205.148.128.0/18,205.148.192.0/18,205.151.128.0/19,205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.176.0/22,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2619;)
alert ip [205.214.128.0/19,205.233.224.0/20,205.236.185.0/24,205.236.189.0/24,205.237.88.0/21,206.41.160.0/19,206.51.29.0/24,206.81.0.0/19,206.130.4.0/23,206.130.188.0/24,206.143.128.0/17,206.189.0.0/16,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.203.64.0/18,206.209.80.0/20,206.224.160.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2619;)
alert ip [207.32.208.0/20,207.45.224.0/20,207.110.64.0/18,207.110.96.0/19,207.110.128.0/18,207.177.128.0/18,207.178.64.0/19,207.183.192.0/19,207.226.192.0/20,207.234.0.0/17,208.93.4.0/22,208.117.88.0/22,208.117.92.0/24,209.51.32.0/20,209.54.160.0/19,209.66.128.0/19,209.95.192.0/19,209.97.128.0/18,209.99.128.0/18,209.145.0.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2619;)
alert ip [209.182.64.0/19,209.229.0.0/16,209.242.192.0/19,212.92.127.0/24,216.47.96.0/20,216.152.240.0/20,216.183.208.0/20,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15,223.169.0.0/16,223.173.0.0/16,223.201.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 33"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400032; rev:2619;)

35
code/chef/templates/centos/dshield.rules.erb Executable file
View file

@ -0,0 +1,35 @@
#
# $Id: emerging-dshield.rules $
# Emerging Threats Dshield rules.
#
# Rules to block Dshield identified Top Attackers (www.dshield.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
alert ip [61.174.51.0/24,94.102.49.0/24,185.5.174.0/24,116.10.191.0/24,218.77.79.0/24,74.82.47.0/24,184.105.247.0/24,93.180.5.0/24,93.174.93.0/24,80.82.70.0/24,184.105.139.0/24,198.20.69.0/24,124.232.142.0/24,71.6.167.0/24,66.240.192.0/24,71.6.165.0/24,198.20.99.0/24,190.139.61.0/24,66.240.236.0/24,162.253.66.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feed.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:3403;)

198
code/chef/templates/centos/emerging-dns.rules.erb Executable file
View file

@ -0,0 +1,198 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:3; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:6; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:2; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|vv|02|cc|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012826; rev:1; metadata:created_at 2011_05_19, updated_at 2011_05_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ae|02|am"; fast_pattern; classtype:bad-unknown; sid:2012900; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern; classtype:bad-unknown; sid:2012903; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|tv"; fast_pattern; classtype:bad-unknown; sid:2012956; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ianxz6zefk72ulzz|05|onion"; classtype:policy-violation; sid:2013016; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|be"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013124; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cu|02|cc"; fast_pattern; classtype:bad-unknown; sid:2013172; rev:2; metadata:created_at 2011_07_02, updated_at 2011_07_02;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .eu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|eu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013848; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .int.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|int|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013849; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .edu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|edu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013850; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .us.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013851; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ca.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ca|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013852; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .bg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|bg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013853; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ru.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013854; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .pl.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013855; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .cz.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013856; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .de.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|de|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013857; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .at.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|at|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013858; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ch.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013859; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .sg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|sg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013860; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .nl.ai Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013861; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1; metadata:created_at 2011_11_28, updated_at 2011_11_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; fast_pattern; distance:0; nocase; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4; metadata:created_at 2012_02_27, updated_at 2012_02_27;)
alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious *.upas.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|upas|02|su|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:3; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:2; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; fast_pattern; nocase; distance:0; content:!"|01|u|02|pw|00|"; nocase; classtype:bad-unknown; sid:2016778; rev:4; metadata:created_at 2013_04_19, updated_at 2013_04_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|tun|10|vpnoverdns|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:2; metadata:created_at 2014_05_01, updated_at 2014_05_01;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)

254
code/chef/templates/centos/emerging-dos.rules.erb Executable file
View file

@ -0,0 +1,254 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:4; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:5; metadata:created_at 2012_01_23, updated_at 2012_01_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; fast_pattern:only; threshold: type both, track by_src, count 225, seconds 60; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:5; metadata:created_at 2012_01_27, updated_at 2012_01_27;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,9; http_user_agent; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; content:"/?"; fast_pattern; http_uri; depth:2; content:"="; http_uri; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/U"; content:"Keep|2d|Alive|3a|"; http_header; content:"Connection|3a| keep|2d|alive"; http_header; content:"Cache|2d|Control|3a|"; http_header; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/Hm"; content:"Accept|2d|Encoding|3a|"; http_header; threshold: type both, track by_src, count 100, seconds 300; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:2; metadata:created_at 2014_03_04, updated_at 2014_03_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern; threshold:type both, track by_src, count 5, seconds 90; classtype:attempted-dos; sid:2018277; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_03_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; content:"User-Agent|3a| Bittorrent"; http_header; threshold: type both, count 1, seconds 60, track by_src; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)
alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; content:"x00_-gawa.sa.pilipinas.2015"; http_user_agent; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:2; metadata:created_at 2016_04_26, updated_at 2016_04_26;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_11_11, performance_impact Low, updated_at 2017_01_12;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test: 3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:2; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_07;)
#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_02;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_03;)
alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)
alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)

1201
code/chef/templates/centos/emerging-exploit.rules.erb Executable file
View file

File diff suppressed because it is too large Load diff

409
code/chef/templates/centos/emerging-shellcode.rules.erb Executable file
View file

@ -0,0 +1,409 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata: former_category SHELLCODE; classtype:shellcode-detect; sid:2101390; rev:6; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; metadata: former_category SHELLCODE; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_16;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, updated_at 2017_09_08;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2; metadata:created_at 2011_07_14, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; metadata: former_category SHELLCODE; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_03, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_16, performance_impact Low, updated_at 2017_03_16;)

447
code/chef/templates/centos/mobilemalware.rules.erb Executable file
View file

@ -0,0 +1,447 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; http_uri; nocase; content:"sim="; http_uri; nocase; content:"tel="; http_uri; nocase; content:"imsi="; http_uri; content:"pid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; http_uri; nocase; content:"id="; http_uri; nocase; content:"softid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"area="; http_uri; nocase; content:"insttime="; http_uri; nocase; content:"first="; http_uri; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; distance:0; http_client_body; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMEI>"; http_client_body; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; http_client_body; distance:0; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:8; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMSI>"; http_client_body; nocase; content:"<|2F|IMSI"; nocase; distance:0; http_client_body; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Mobile Device Posting Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2013208; rev:3; metadata:created_at 2011_07_06, updated_at 2017_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST"; http_method; uricontent:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"|0d 0a 0d 0a|f0="; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_user_agent; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)
alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; http_uri; content:"&type="; http_uri; content:"&step="; http_uri; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_01_15, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"Dalvik/"; http_user_agent; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_09_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/getTask.php?"; fast_pattern:only; nocase; http_uri; content:"imei="; http_uri; content:"balance="; http_uri; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2017_03_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"co"; http_uri; content:"untry="; http_uri; content:"phone="; http_uri; content:"&op="; http_uri; content:"imei="; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"_no="; http_client_body; depth:16; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2017_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST "; urilen:15; content:"/getLastVersion"; depth:15; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/register"; depth:9; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/login"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/report"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/getTask"; depth:8; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/reportMessage"; depth:14; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/H"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; content:"/iconfig.txt"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible)|0D 0A|"; http_header; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern:only; content:"Dalvik"; depth:6; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:3; metadata:created_at 2014_03_24, updated_at 2014_03_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/URi"; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern:only; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3; metadata:created_at 2014_06_19, updated_at 2014_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)
alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/webviewAdReq"; nocase; depth:13; http_uri; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_30, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern:only; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_user_agent; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern:only; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:4; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; content:"UAC/"; depth:4; http_user_agent; fast_pattern; content:"|28|Android|20|"; distance:0; http_user_agent; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; pcre:"/\/contacts$/U"; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; content:"XAgent/1."; depth:9; http_user_agent; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; content:"XAgent/1."; http_user_agent; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"Apache-HttpClient"; depth:18; http_user_agent; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"User-Agent|3a 20|"; http_header; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http_client_body; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern:only; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"uuid="; http_client_body; content:"language="; http_client_body; content:"appkey"; http_client_body; content:"model="; http_client_body; content:"operatorsname="; fast_pattern:only; http_client_body; content:"networkname="; http_client_body; content:"networktype="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern:only; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/gac/"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|0d 0a|Connection|3a| Keep-Alive|0d 0a|Accept-Encoding|3a| gzip|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/gac\/[a-f0-9]{15}$/U"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_08_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern:only; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern:only; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|aps|06|kemoge|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern:only; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/v1.jsp?e="; http_uri; fast_pattern; depth:10; content:"&s="; http_uri; distance:0; content:"&g="; http_uri; distance:0; content:"&versionCode="; http_uri; distance:0; content:"&osVersion="; http_uri; distance:0; content:"&countryCode="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; content:"Host|3a| download.cloudsota.com"; http_header; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:"{|22|type|22 3a|"; depth:8; http_client_body; content:",|22|text|22 3a|"; http_client_body; content:",|22|code|22 3a|"; fast_pattern:only; http_client_body; content:",|22|from|22 3a|"; http_client_body; content:"|22|}"; http_client_body; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; content:"Host|3a 20|jackdojacksgot.ru"; http_header; nocase; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:",|22|model|22 3a|"; http_client_body; content:",|22|apps|22 3a 5b 22|"; http_client_body; content:",|22|imei|22 3a|"; fast_pattern:only; http_client_body; pcre:"/^\{\x22(?:os|type)\x22\x3a/P"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"/"; http_uri; depth:1; content:"User-Agent|3A| Apache-HttpClient/UNAVAILABLE"; http_header; content:"{|22|data|22 3A|"; http_client_body; depth:8; content:"|22|password old|22 3A|"; fast_pattern; http_client_body; distance:0; content:"|22|login|22 3A|"; http_client_body; content:"|22|type|22 3A|"; http_client_body; distance:0; content:"|22|login old|22 3A|"; http_client_body; distance:0; content:"|22|password|22 3A|"; http_client_body; distance:0; content:"|22|name|22 3A|"; http_client_body; distance:0; content:"|22|code|22 3A|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pc35hiptpcwqezgs"; nocase; distance:0; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuwurw46taaep6ip"; nocase; distance:0; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|voooxrrw2wxnoyew"; nocase; distance:0; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmdxiawceahpbhmb|03|com"; nocase; distance:0; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2016_07_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; content:"/i_info_proxy.php?cmd="; fast_pattern:only; http_uri; content:"&data="; http_uri; content:"|3b 20|iPhone|20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/I"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, performance_impact Low, updated_at 2017_03_08;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|info2t|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_10_24, malware_family AndroRAT, performance_impact Low, updated_at 2016_10_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; content:!"User-Agent|3a 20|"; http_header; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"lm="; http_uri; content:"/search/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|rockybalboa|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|storegoogle|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern:only; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern:only; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|androidbak|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|droidback|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|endpointup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|siteanalysto|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|goodydaddy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/stat/locker|20|HTTP/1."; fast_pattern:only; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"type="; http_client_body; depth:5; content:"&version="; http_client_body; content:"&lid="; http_client_body; content:"&c="; http_client_body; content:"&i="; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:trojan-activity; sid:2024123; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_03_31, updated_at 2017_03_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx|20|HTTP/1."; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern:only; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024171; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern:only; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024172; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2017_06_26;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|updatmaster|03|top|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_02, updated_at 2017_08_02;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|axclick|05|store|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2017_08_28;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b1k51|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|b1j3aas|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|wechaatt|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|10as05|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ch0ck4|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fatur1s|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b5k31|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|erd0|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1v2a5|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1502b|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|elsssee|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kvp41|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|servertestapi|03|ltd|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|taxii|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|p0w3r|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4r3a|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

18
code/chef/templates/centos/nmap.rules.erb Executable file
View file

@ -0,0 +1,18 @@
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8;)
alert ip any any -> any any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009582; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009583; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009584; rev:1;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sS"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7;)
alert http any any -> any $HTTP_PORTS (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:3;)
alert http any any -> any any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:4;)
alert icmp any any -> any any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4;)
alert tcp any any -> any any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7;)
alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2;)

772
code/chef/templates/centos/shellcode.rules.erb Executable file
View file

@ -0,0 +1,772 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3.
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3;)
#by Jaime Blasco
#
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2;)
#by Jaime Blasco
#
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8;)
#by Alejandro Gramajo
##############################################################################
#x86 Pex Variable Length Fnstenv/mov/sub Double Word Xor Encoder
#D9 EE fldz
#D9 74 24 F4 fnstenv [esp - 12]
#5B pop ebx
#81 73 13 xorkey xor_xor: xor DWORD [ebx + 22], xorkey
#83 EB FC sub ebx,-4
#E2 F4 loop xor_xor
#Real traffic dump
#Content1
#98 49 F8 27 91 2F 27 48 4F 4E 6A 12 59 <D9 EE D9 .I.'./'HONj.Y...
#74 24 F4 5B 81 73 13> 2E D6 9A FE <83 EB FC E2 F4> t$.[.s..........
#Xorkey Content2
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5;)
##############################################################################
#x86 Skylined\'s Alpha2 Alphanumeric Encoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5;)
##############################################################################
#x86 Call $+4 countdown xor encoder
#E8 FF FF FF call $+4
#FF C1 inc ecx
#5E pop esi
#30 4C 0E 07 xor_xor: xor [esi + ecx + 0x07], cl
#E2 FA loop xor_xor
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5;)
##############################################################################
#x86 Pex Alphanumeric Encoder
#VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 win32getpc
#?? JJJJJ ?? baseaddr
#VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM decoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5;)
##############################################################################
#x86 Pex Call $+4 Double Word Xor Encoder
#E8 FF FF FF call $+4
#FF C0 inc eax
#5E pop esi
#81 76 0E xorkey xor_xor: xor [esi + 0x0e], xorkey
#83 EE FC sub esi, -4
#E2 F4 loop xor_xor
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5;)
##############################################################################
#x86 IA32 Jmp/Call XOR Additive Feedback Decoder
#FC cld
#BB key mov ebx, key
#EB 0C jmp short 0x14
#5E pop esi
#56 push esi
#31 1E xor [esi], ebx
#AD lodsd
#01 C3 add ebx, eax
#85 C0 test eax, eax
#75 F7 jnz 0xa
#C3 ret
#E8 EF FF FF FF call 0x8
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5;)
#Metasploit BSD shellcode detect rules by h0f - Jennylab
#Alberto Garcia de Dios
#albertogdedios@andaluciajunta.es
#http://www.jennylab.org
#####
#METASPLOIT SHELLCODE RULES
#####
#BSD METASPLOIT RULES
#### BSD BIND SHELL #######
#BSD Bind Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3;)
#BSD Bind Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3;)
#### EOF BSD BIND SHELL ######
### BSD REVERSE SHELL #######
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3;)
#BSD Reverse Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:6;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4;)

90
code/chef/templates/centos/suricata.init.erb Executable file
View file

@ -0,0 +1,90 @@
#!/bin/bash
#
# Init file for suricata
#
#
# chkconfig: 345 52 48
# description: Network Intrusion Detection System
#
# processname: Suricata
# pidfile: /var/run/suricata.pid
source /etc/rc.d/init.d/functions
### Read configuration
[ -r "$SYSCONFIG" ] && source "$SYSCONFIG"
RETVAL=0
prog="suricata"
desc="Suricata IDS"
start() {
# Make sure the interfaces are up, or suricata won't start.
for interface in <% @interface.each do |int| -%><%= int %> <% end -%>
do
/sbin/ifconfig $interface up
done
echo -n $"Starting $desc ($prog): "
daemon "suricata -D -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%> >> /var/log/suricata/suricata.log"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Shutting down $desc ($prog): "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo "Checking config before restarting"
suricata -T -c /etc/suricata/suricata.yaml >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
kill -USR2 $(cat /var/run/suricata.pid)
else
echo "Config broken, not reloading"
fi
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

12
code/chef/templates/centos/suricata.service.erb Executable file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Open Source Next Generation Intrusion Detection and Prevention Engine
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%>
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID
[Install]
WantedBy=multi-user.target

317
code/chef/templates/centos/suricata.yaml.erb Executable file
View file

@ -0,0 +1,317 @@
%YAML 1.1
---
default-log-dir: /var/log/suricata/
unix-command:
enabled: no
run-as:
user: suricata
group: suricata
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: no
filename: unified2.alert
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
certs-log-dir: certs # directory to store the certificates files
- pcap-info:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
mode: normal # normal or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
- stats:
enabled: no
filename: stats.log
interval: 8
- syslog:
enabled: no
facility: local5
- drop:
enabled: no
filename: drop.log
append: yes
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
- file-log:
enabled: no
filename: files-json.log
append: yes
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
af-packet:
threshold-file: /etc/suricata/threshold.config
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "0-1" ]
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
detect-thread-ratio: 1.5
cuda:
- mpm:
packet-buffer-limit: 2400
packet-size-limit: 1500
packet-buffers: 10
batching-timeout: 1
page-locked: enabled
device-id: 0
cuda-streams: 2
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 32mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
default-log-level: info
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
pfring:
- interface: <%= @pcapinterface %>
threads: 1
cluster-id: 99
cluster-type: cluster_flow
- interface: default
pcap:
- interface: <%= @pcapinterface %>
- interface: default
ipfw:
default-rule-path: /etc/suricata/rules/
rule-files:
- local.rules
- tor.rules
- emerging-shellcode.rules
- dshield.rules
- compromised.rules
- dshield.rules
- mobilemalware.rules
- nmap.rules
- shellcode.rules
- osxmalware.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
vars:
address-groups:
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
action-order:
- pass
- drop
- reject
- alert
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
asn1-max-frames: 256
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
libhtp:
default-config:
personality: IDS
request-body-limit: 3072
response-body-limit: 3072
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
coredump:
max-dump: unlimited
napatech:
hba: -1
use-all-streams: yes
streams: [1, 2, 3]

775
code/chef/templates/centos/tor.rules.erb Executable file
View file

@ -0,0 +1,775 @@
#
# Emerging Threats Tor rules.
#
# These will tell you if someone using Tor for source anonymization is communicating with your network.
#
# Tor in itself isn't inherently hostile. In many environments that may be a very suspicious way
# to communicate.
#
# More information available at doc.emergingthreats.net/bin/view/Main/TorRules
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 3093
# Updated 2017-09-22 00:30:01
alert ip [103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84,103.8.79.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520000; rev:3093;)
alert ip [104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98,104.223.123.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520002; rev:3093;)
alert ip [104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100,109.69.67.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520004; rev:3093;)
alert ip [1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225,130.204.161.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520006; rev:3093;)
alert ip [131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77,138.197.85.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520008; rev:3093;)
alert ip [138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208,141.170.2.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520010; rev:3093;)
alert ip [141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34,144.217.60.211] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520012; rev:3093;)
alert ip [144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122,148.251.43.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520014; rev:3093;)
alert ip [149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35,154.16.149.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520016; rev:3093;)
alert ip [155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243,162.220.246.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520018; rev:3093;)
alert ip [162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217,162.247.72.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520020; rev:3093;)
alert ip [162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250,163.172.151.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520022; rev:3093;)
alert ip [163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200,163.172.223.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520024; rev:3093;)
alert ip [163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195,167.160.84.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520026; rev:3093;)
alert ip [169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28,172.104.180.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520028; rev:3093;)
alert ip [172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69,173.255.226.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520030; rev:3093;)
alert ip [173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202,176.10.99.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520032; rev:3093;)
alert ip [176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11,176.214.189.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520034; rev:3093;)
alert ip [176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156,178.17.170.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520036; rev:3093;)
alert ip [178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14,178.17.174.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520038; rev:3093;)
alert ip [178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96,178.32.181.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520040; rev:3093;)
alert ip [178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24,185.100.84.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520042; rev:3093;)
alert ip [185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141,185.100.86.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520044; rev:3093;)
alert ip [185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139,185.10.68.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520046; rev:3093;)
alert ip [185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60,185.112.157.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520048; rev:3093;)
alert ip [185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42,185.165.168.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520050; rev:3093;)
alert ip [185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207,185.61.149.193] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520052; rev:3093;)
alert ip [185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45,187.104.48.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520054; rev:3093;)
alert ip [187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164,192.160.102.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520056; rev:3093;)
alert ip [192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49,193.107.85.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520058; rev:3093;)
alert ip [193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41,193.70.89.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520060; rev:3093;)
alert ip [193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178,195.228.45.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520062; rev:3093;)
alert ip [195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129,198.50.200.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520064; rev:3093;)
alert ip [198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40,199.249.223.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520066; rev:3093;)
alert ip [199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69,199.249.223.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520068; rev:3093;)
alert ip [199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81,199.249.224.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520070; rev:3093;)
alert ip [199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49,199.68.196.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520072; rev:3093;)
alert ip [199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127,206.55.74.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520074; rev:3093;)
alert ip [207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213,212.21.66.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520076; rev:3093;)
alert ip [212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15,213.108.105.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520078; rev:3093;)
alert ip [213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13,216.239.90.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520080; rev:3093;)
alert ip [217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11,23.129.64.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520082; rev:3093;)
alert ip [23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23,23.92.28.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520084; rev:3093;)
alert ip [23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96,36.227.172.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520086; rev:3093;)
alert ip [37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202,37.220.36.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520088; rev:3093;)
alert ip [37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23,45.33.48.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520090; rev:3093;)
alert ip [45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49,46.101.164.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520092; rev:3093;)
alert ip [46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46,46.182.19.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520094; rev:3093;)
alert ip [46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238,46.45.137.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520096; rev:3093;)
alert ip [46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233,51.15.43.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520098; rev:3093;)
alert ip [51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11,51.15.57.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520100; rev:3093;)
alert ip [51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177,51.15.70.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520102; rev:3093;)
alert ip [51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149,5.196.1.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520104; rev:3093;)
alert ip [5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118,5.79.68.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520106; rev:3093;)
alert ip [59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47,62.149.13.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520108; rev:3093;)
alert ip [62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141,62.219.3.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520110; rev:3093;)
alert ip [62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140,65.129.144.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520112; rev:3093;)
alert ip [65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140,69.164.207.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520114; rev:3093;)
alert ip [71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204,77.109.139.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520116; rev:3093;)
alert ip [77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70,78.31.164.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520118; rev:3093;)
alert ip [78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207,80.67.172.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520120; rev:3093;)
alert ip [80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122,82.221.128.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520122; rev:3093;)
alert ip [82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135,84.19.181.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520124; rev:3093;)
alert ip [84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78,85.143.95.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520126; rev:3093;)
alert ip [85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12,87.118.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520128; rev:3093;)
alert ip [87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245,87.81.148.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520130; rev:3093;)
alert ip [87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13,89.187.150.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520132; rev:3093;)
alert ip [89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121,89.38.208.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520134; rev:3093;)
alert ip [89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121,91.233.106.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520136; rev:3093;)
alert ip [91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202,93.115.95.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520138; rev:3093;)
alert ip [93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148,93.64.207.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520140; rev:3093;)
alert ip [94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161,94.242.57.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520142; rev:3093;)
# Non-Exit Nodes
alert ip [103.10.197.50,103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3093;)
alert ip [103.8.79.229,104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522002; rev:3093;)
alert ip [104.223.123.99,104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522004; rev:3093;)
alert ip [109.69.67.17,1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522006; rev:3093;)
alert ip [130.204.161.3,131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522008; rev:3093;)
alert ip [138.197.85.80,138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522010; rev:3093;)
alert ip [141.170.2.53,141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522012; rev:3093;)
alert ip [144.217.60.211,144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522014; rev:3093;)
alert ip [148.251.43.239,149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522016; rev:3093;)
alert ip [154.16.149.74,155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522018; rev:3093;)
alert ip [162.220.246.230,162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522020; rev:3093;)
alert ip [162.247.72.7,162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522022; rev:3093;)
alert ip [163.172.151.47,163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522024; rev:3093;)
alert ip [163.172.223.87,163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522026; rev:3093;)
alert ip [167.160.84.183,169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522028; rev:3093;)
alert ip [172.104.180.171,172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522030; rev:3093;)
alert ip [173.255.226.142,173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522032; rev:3093;)
alert ip [176.10.99.203,176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522034; rev:3093;)
alert ip [176.214.189.247,176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522036; rev:3093;)
alert ip [178.17.170.164,178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522038; rev:3093;)
alert ip [178.17.174.198,178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522040; rev:3093;)
alert ip [178.32.181.97,178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522042; rev:3093;)
alert ip [185.100.84.108,185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522044; rev:3093;)
alert ip [185.100.86.154,185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522046; rev:3093;)
alert ip [185.10.68.191,185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522048; rev:3093;)
alert ip [185.112.157.135,185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522050; rev:3093;)
alert ip [185.165.168.77,185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522052; rev:3093;)
alert ip [185.61.149.193,185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522054; rev:3093;)
alert ip [187.104.48.3,187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522056; rev:3093;)
alert ip [192.160.102.165,192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522058; rev:3093;)
alert ip [193.107.85.56,193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522060; rev:3093;)
alert ip [193.70.89.19,193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522062; rev:3093;)
alert ip [195.228.45.176,195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522064; rev:3093;)
alert ip [198.50.200.131,198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522066; rev:3093;)
alert ip [199.249.223.60,199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522068; rev:3093;)
alert ip [199.249.223.71,199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522070; rev:3093;)
alert ip [199.249.224.40,199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522072; rev:3093;)
alert ip [199.68.196.124,199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522074; rev:3093;)
alert ip [206.55.74.0,207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522076; rev:3093;)
alert ip [212.21.66.6,212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522078; rev:3093;)
alert ip [213.108.105.71,213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522080; rev:3093;)
alert ip [216.239.90.19,217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522082; rev:3093;)
alert ip [23.129.64.12,23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522084; rev:3093;)
alert ip [23.92.28.23,23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522086; rev:3093;)
alert ip [36.227.172.7,37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522088; rev:3093;)
alert ip [37.220.36.240,37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522090; rev:3093;)
alert ip [45.33.48.204,45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522092; rev:3093;)
alert ip [46.101.164.37,46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522094; rev:3093;)
alert ip [46.182.19.15,46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522096; rev:3093;)
alert ip [46.45.137.71,46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522098; rev:3093;)
alert ip [51.15.43.205,51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522100; rev:3093;)
alert ip [51.15.57.177,51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522102; rev:3093;)
alert ip [51.15.70.226,51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522104; rev:3093;)
alert ip [5.196.1.129,5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522106; rev:3093;)
alert ip [5.79.68.161,59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522108; rev:3093;)
alert ip [62.149.13.57,62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522110; rev:3093;)
alert ip [62.219.3.47,62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522112; rev:3093;)
alert ip [65.129.144.43,65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522114; rev:3093;)
alert ip [69.164.207.234,71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522116; rev:3093;)
alert ip [77.109.139.87,77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522118; rev:3093;)
alert ip [78.31.164.41,78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522120; rev:3093;)
alert ip [80.67.172.162,80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522122; rev:3093;)
alert ip [82.221.128.217,82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522124; rev:3093;)
alert ip [84.19.181.25,84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522126; rev:3093;)
alert ip [85.143.95.50,85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522128; rev:3093;)
alert ip [87.118.116.90,87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522130; rev:3093;)
alert ip [87.81.148.61,87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522132; rev:3093;)
alert ip [89.187.150.14,89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522134; rev:3093;)
alert ip [89.38.208.57,89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522136; rev:3093;)
alert ip [91.233.106.172,91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522138; rev:3093;)
alert ip [93.115.95.204,93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522140; rev:3093;)
alert ip [93.64.207.55,94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522142; rev:3093;)
alert ip [94.242.57.2,95.128.43.164,95.130.10.69,95.130.11.170,95.142.161.63,95.211.118.194,95.211.230.94,96.255.14.191,96.64.149.101,97.74.237.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 73"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522144; rev:3093;)
alert ip [100.11.34.118,100.11.83.28,100.15.39.173,100.16.230.154,100.36.175.42,100.36.19.97,100.38.8.218,101.0.93.66,101.100.141.55,101.100.144.174] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 74"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522146; rev:3093;)
alert ip [101.173.122.229,101.189.42.122,101.55.125.10,103.13.101.81,103.241.61.34,103.250.186.95,103.250.73.12,103.250.73.199,103.250.73.218,103.250.73.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522148; rev:3093;)
alert ip [103.250.73.232,103.250.73.251,103.250.73.5,103.35.56.22,103.73.189.114,103.73.65.32,103.73.67.198,103.85.158.48,104.128.225.205,104.128.226.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 76"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522150; rev:3093;)
alert ip [104.129.16.86,104.129.5.252,104.130.169.121,104.131.108.7,104.131.110.204,104.131.11.214,104.131.123.16,104.131.129.30,104.131.137.159,104.131.140.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 77"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522152; rev:3093;)
alert ip [104.131.148.86,104.131.149.84,104.131.181.174,104.131.187.45,104.131.19.119,104.131.204.147,104.131.205.192,104.131.206.23,104.131.245.55,104.131.28.54] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 78"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522154; rev:3093;)
alert ip [104.131.4.237,104.131.66.194,104.131.86.132,104.131.99.72,104.156.224.83,104.156.226.153,104.156.239.41,104.156.60.163,104.156.60.166,104.162.18.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 79"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522156; rev:3093;)
alert ip [104.168.167.34,104.168.62.174,104.168.87.167,104.191.31.69,104.192.5.248,104.200.131.232,104.200.16.227,104.200.20.142,104.200.67.249,104.206.168.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 80"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522158; rev:3093;)
alert ip [104.206.237.23,104.206.237.24,104.207.157.177,104.223.122.115,104.223.122.213,104.223.122.239,104.223.12.233,104.223.122.69,104.223.48.254,104.223.78.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 81"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522160; rev:3093;)
alert ip [104.232.119.93,104.233.123.73,104.233.80.8,104.236.101.108,104.236.10.21,104.236.103.167,104.236.131.15,104.236.151.160,104.236.164.161,104.236.175.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522162; rev:3093;)
alert ip [104.236.180.124,104.236.183.57,104.236.199.217,104.236.21.215,104.236.215.223,104.236.224.225,104.236.231.197,104.236.233.99,104.236.234.178,104.236.247.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 83"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522164; rev:3093;)
alert ip [104.236.33.174,104.236.44.133,104.236.46.10,104.236.52.16,104.236.87.90,104.236.90.134,104.238.136.10,104.238.150.212,104.238.158.127,104.238.159.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 84"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522166; rev:3093;)
alert ip [104.238.167.111,104.238.184.251,104.238.188.98,104.244.72.200,104.244.77.143,104.250.141.242,104.250.151.108,104.32.110.210,104.32.21.49,104.37.192.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 85"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522168; rev:3093;)
alert ip [104.37.61.159,104.40.58.52,105.184.110.89,106.186.18.40,106.248.228.2,106.68.157.189,107.136.214.218,107.145.157.164,107.150.18.14,107.150.7.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 86"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522170; rev:3093;)
alert ip [107.158.255.21,107.158.255.22,107.161.172.151,107.161.18.113,107.167.87.242,107.167.93.58,107.170.101.39,107.170.10.34,107.170.107.198,107.170.108.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 87"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522172; rev:3093;)
alert ip [107.170.113.28,107.170.119.31,107.170.143.117,107.170.150.7,107.170.153.80,107.170.158.212,107.170.188.155,107.170.193.14,107.170.232.75,107.170.241.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 88"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522174; rev:3093;)
alert ip [107.170.246.123,107.172.23.11,107.179.136.40,107.181.155.131,107.181.166.11,107.181.174.22,107.181.187.199,107.191.103.42,107.191.110.179,107.191.118.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 89"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522176; rev:3093;)
alert ip [107.191.126.184,107.191.40.51,107.191.45.209,107.191.46.204,107.191.47.87,107.212.34.52,108.14.251.33,108.161.133.189,108.167.45.153,108.168.65.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 90"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522178; rev:3093;)
alert ip [108.240.182.140,108.248.87.242,108.252.225.193,108.26.165.130,108.32.49.20,108.34.154.82,108.34.173.204,108.4.49.181,108.51.145.34,108.5.123.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522180; rev:3093;)
alert ip [108.52.47.127,108.53.208.157,108.54.199.58,108.58.144.234,108.61.165.0,108.61.165.169,108.61.166.134,108.61.182.74,108.61.208.98,108.61.29.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 92"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522182; rev:3093;)
alert ip [108.61.96.230,108.61.99.149,108.61.99.7,109.104.38.33,109.104.53.242,109.105.109.162,109.107.35.154,109.120.140.127,109.12.117.113,109.128.217.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 93"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522184; rev:3093;)
alert ip [109.129.103.61,109.147.247.134,109.147.85.253,109.148.135.48,109.150.115.227,109.156.178.140,109.159.89.26,109.164.236.231,109.188.73.216,109.189.157.63] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522186; rev:3093;)
alert ip [109.189.78.223,109.190.24.34,109.190.66.149,109.192.151.243,109.192.221.2,109.193.71.229,109.195.103.84,109.195.115.202,109.195.147.248,109.197.193.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 95"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522188; rev:3093;)
alert ip [109.197.63.45,109.201.148.8,109.218.182.235,109.228.51.164,109.230.215.24,109.230.215.42,109.230.231.165,109.230.236.89,109.234.36.196,109.235.67.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 96"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522190; rev:3093;)
alert ip [109.236.88.9,109.236.90.209,109.238.2.79,109.24.157.46,109.251.138.26,109.255.0.107,109.255.189.135,109.255.4.199,109.49.168.149,109.63.234.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522192; rev:3093;)
alert ip [109.68.174.60,109.68.191.132,109.68.191.133,109.68.191.159,109.70.118.164,109.73.50.56,109.74.194.124,109.74.195.190,109.74.197.251,109.74.200.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522194; rev:3093;)
alert ip [109.74.206.21,109.86.231.201,109.87.25.148,109.88.211.62,109.90.105.212,109.90.194.92,109.90.2.49,109.91.18.210,109.9.189.81,109.92.182.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 99"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522196; rev:3093;)
alert ip [109.95.51.107,110.174.43.136,110.175.89.172,110.4.47.139,111.217.70.205,111.220.142.172,111.69.187.64,111.90.140.240,111.90.140.7,111.90.141.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 100"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522198; rev:3093;)
alert ip [111.90.145.244,111.90.147.202,111.90.147.45,111.90.159.23,113.146.25.87,113.151.17.45,113.20.31.45,113.255.93.146,113.41.194.250,114.198.116.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522200; rev:3093;)
alert ip [115.124.112.235,115.146.127.224,115.162.69.72,115.70.57.112,116.127.71.162,116.255.86.18,116.72.19.109,116.93.119.79,116.98.47.44,118.127.108.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 102"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522202; rev:3093;)
alert ip [118.211.103.137,118.211.196.241,119.235.249.136,119.59.127.104,121.216.200.82,121.217.128.119,121.217.216.75,121.223.16.207,121.99.219.228,122.130.149.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 103"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522204; rev:3093;)
alert ip [122.173.149.16,122.252.153.13,122.58.16.118,122.61.174.190,123.2.59.76,124.168.121.129,124.171.62.248,124.244.71.219,1.244.227.61,125.143.58.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 104"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522206; rev:3093;)
alert ip [125.212.217.197,125.212.218.81,125.212.220.60,125.236.237.47,125.239.0.127,125.30.61.42,126.70.7.146,128.112.228.11,128.119.245.76,128.12.177.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 105"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522208; rev:3093;)
alert ip [128.131.169.91,128.153.146.125,128.199.131.168,128.199.132.7,128.199.133.154,128.199.136.79,128.199.138.74,128.199.139.224,128.199.163.108,128.199.179.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522210; rev:3093;)
alert ip [128.199.189.192,128.199.192.230,128.199.194.112,128.199.194.214,128.199.221.35,128.199.224.88,128.199.228.42,128.199.228.61,128.199.240.193,128.199.252.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 107"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522212; rev:3093;)
alert ip [128.199.35.162,128.199.35.5,128.199.52.7,128.199.55.207,128.199.81.48,128.199.85.165,128.199.97.254,128.208.2.233,128.31.0.34,128.39.8.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 108"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522214; rev:3093;)
alert ip [128.52.170.130,128.69.8.101,128.75.22.182,129.100.38.88,129.10.115.230,129.10.115.237,129.10.115.238,129.10.115.239,129.10.115.241,129.10.115.244] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 109"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522216; rev:3093;)
alert ip [129.10.115.245,129.10.115.246,129.10.115.247,129.10.115.248,129.13.131.140,129.21.131.156,129.242.219.85,130.149.14.31,130.180.111.94,130.180.23.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 110"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522218; rev:3093;)
alert ip [130.180.30.254,130.180.63.150,130.180.72.178,130.185.104.50,130.185.250.214,130.185.250.3,130.185.250.76,130.193.15.186,130.225.254.103,130.230.113.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 111"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522220; rev:3093;)
alert ip [130.230.113.229,130.230.113.230,130.230.113.231,130.230.113.232,130.230.113.233,130.230.113.234,130.230.113.235,130.230.113.236,130.230.113.237,130.243.26.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522222; rev:3093;)
alert ip [130.255.10.191,130.255.190.187,130.255.78.232,130.63.173.126,131.130.142.98,131.155.71.124,131.188.40.188,131.188.40.189,131.191.83.25,131.220.141.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522224; rev:3093;)
alert ip [13.124.107.51,131.255.4.48,131.255.4.79,131.255.5.233,131.255.5.239,131.255.5.250,131.255.5.251,131.255.5.66,131.255.7.57,132.216.54.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522226; rev:3093;)
alert ip [133.130.103.34,1.33.218.249,1.33.65.204,134.102.200.101,134.119.179.55,134.119.222.3,134.119.26.193,134.119.3.164,134.119.3.2,134.119.32.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 115"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522228; rev:3093;)
alert ip [134.130.181.212,134.130.181.43,134.130.181.49,134.19.177.109,134.91.78.143,135.23.121.228,135.23.221.151,135.23.96.205,136.168.201.153,136.243.102.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522230; rev:3093;)
alert ip [136.243.114.62,136.243.1.156,136.243.14.241,136.243.147.28,136.243.149.82,136.243.170.164,136.243.174.97,136.243.176.148,136.243.177.133,136.243.187.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 117"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522232; rev:3093;)
alert ip [136.243.214.137,136.243.243.6,136.243.70.199,136.243.90.139,136.29.17.133,136.32.238.141,136.32.72.40,136.32.88.247,136.33.135.41,136.57.59.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 118"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522234; rev:3093;)
alert ip [136.58.71.216,136.62.24.118,136.62.41.207,136.62.65.222,136.63.228.142,13.68.112.72,137.135.8.233,137.205.124.35,137.226.111.123,137.59.52.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 119"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522236; rev:3093;)
alert ip [137.74.112.46,137.74.116.214,137.74.117.52,137.74.164.213,137.74.198.250,137.74.224.132,137.74.25.175,137.74.40.76,137.74.40.77,138.117.148.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522238; rev:3093;)
alert ip [138.197.0.28,138.197.110.32,138.197.133.255,138.197.133.81,138.197.14.226,138.197.151.119,138.197.152.158,138.197.153.96,138.197.155.116,138.197.162.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522240; rev:3093;)
alert ip [138.197.168.41,138.197.172.27,138.197.196.50,138.197.202.35,138.197.205.50,138.197.210.209,138.197.214.11,138.197.36.234,138.197.46.213,138.197.67.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522242; rev:3093;)
alert ip [138.197.96.48,138.201.106.213,138.201.117.167,138.201.132.17,138.201.132.34,138.201.135.108,138.201.143.186,138.201.149.20,138.201.149.21,138.201.169.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522244; rev:3093;)
alert ip [138.201.211.234,138.201.211.235,138.201.213.18,138.201.245.87,138.201.247.18,138.201.247.2,138.201.249.231,138.201.250.33,138.201.255.245,138.201.3.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522246; rev:3093;)
alert ip [138.201.49.41,138.201.75.6,138.201.83.171,138.201.91.210,138.201.92.183,138.201.94.249,138.204.171.103,13.85.20.159,138.68.102.40,138.68.134.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 125"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522248; rev:3093;)
alert ip [138.68.150.168,138.68.15.191,138.68.159.142,138.68.167.23,138.68.174.81,138.68.243.240,138.68.245.159,138.68.2.89,138.68.46.132,138.68.69.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522250; rev:3093;)
alert ip [138.68.76.180,138.68.80.108,138.68.80.91,138.68.81.52,138.68.95.222,138.68.96.71,139.133.232.231,139.140.181.151,139.162.103.248,139.162.112.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 127"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522252; rev:3093;)
alert ip [139.162.130.249,139.162.142.120,139.162.142.27,139.162.146.177,139.162.150.16,139.162.151.86,139.162.181.19,139.162.185.120,139.162.191.243,139.162.19.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 128"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522254; rev:3093;)
alert ip [139.162.232.28,139.162.241.69,139.162.245.120,139.162.248.13,139.162.249.63,139.162.44.128,139.162.56.252,139.162.61.44,139.162.7.40,139.162.81.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 129"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522256; rev:3093;)
alert ip [139.162.9.145,139.162.96.82,13.93.114.153,139.59.0.94,139.59.113.97,139.59.117.110,139.59.117.212,139.59.131.98,139.59.134.207,139.59.145.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 130"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522258; rev:3093;)
alert ip [139.59.148.215,139.59.155.174,139.59.16.5,139.59.172.93,139.59.210.198,139.59.2.130,139.59.2.186,139.59.226.185,139.59.229.179,139.59.235.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 131"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522260; rev:3093;)
alert ip [139.59.240.91,139.59.29.107,139.59.29.46,139.59.31.227,139.59.31.76,139.59.36.149,139.59.36.152,139.59.36.57,139.59.37.101,139.59.44.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 132"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522262; rev:3093;)
alert ip [139.59.45.242,139.59.6.172,139.59.64.32,139.59.64.49,139.59.70.114,139.59.7.124,139.59.79.120,140.0.126.72,140.113.128.242,140.113.69.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 133"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522264; rev:3093;)
alert ip [140.121.136.124,140.121.80.170,140.138.144.170,141.0.146.4,141.105.67.58,141.105.70.132,141.136.222.176,141.14.220.177,141.145.121.11,141.20.103.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522266; rev:3093;)
alert ip [141.20.33.67,141.20.33.68,141.255.161.173,141.255.165.102,141.255.166.142,141.255.166.150,141.255.166.189,141.51.125.16,141.54.159.184,141.70.125.232] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 135"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522268; rev:3093;)
alert ip [14.203.77.193,142.4.211.189,142.4.214.187,142.4.32.196,142.44.156.134,142.44.174.243,142.54.186.178,143.106.60.86,143.176.52.51,144.136.5.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 136"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522270; rev:3093;)
alert ip [144.178.137.152,144.206.238.32,144.2.123.139,144.217.15.100,144.217.15.164,144.217.15.179,144.217.245.140,144.217.245.145,144.217.246.91,144.217.254.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522272; rev:3093;)
alert ip [144.217.255.69,144.217.56.135,144.217.56.140,144.217.56.141,144.217.56.158,144.217.65.215,144.217.7.136,144.217.80.139,144.217.87.78,144.217.95.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 138"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522274; rev:3093;)
alert ip [144.76.101.199,144.76.105.117,144.76.105.169,144.76.109.138,144.76.11.100,144.76.112.85,144.76.117.169,144.76.128.206,144.76.14.145,144.76.163.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522276; rev:3093;)
alert ip [144.76.172.187,144.76.253.229,144.76.26.175,144.76.30.167,144.76.31.202,144.76.37.242,144.76.41.171,144.76.44.168,144.76.45.74,144.76.48.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522278; rev:3093;)
alert ip [144.76.50.37,144.76.61.40,144.76.6.199,144.76.64.66,144.76.69.232,144.76.71.91,144.76.75.130,144.76.75.184,144.76.80.68,144.76.85.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 141"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522280; rev:3093;)
alert ip [144.76.91.135,144.76.91.46,144.76.96.7,145.132.191.48,145.132.42.234,145.133.41.132,145.220.0.15,145.239.225.197,145.239.65.59,145.239.76.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 142"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522282; rev:3093;)
alert ip [145.239.82.204,145.239.82.223,145.239.85.191,145.239.87.224,145.255.243.50,146.0.32.122,146.0.32.132,146.0.32.62,146.0.43.121,146.0.43.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522284; rev:3093;)
alert ip [146.0.77.50,146.115.162.91,146.185.141.163,146.185.150.219,146.185.155.218,146.185.157.61,146.185.160.30,146.185.170.35,146.185.171.181,146.185.176.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522286; rev:3093;)
alert ip [146.185.189.197,146.185.253.101,146.185.69.58,146.199.226.192,146.255.170.243,146.255.170.244,146.255.170.245,146.255.57.228,146.52.122.170,146.52.130.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522288; rev:3093;)
alert ip [146.52.167.241,146.52.207.49,146.52.208.228,146.52.253.105,146.52.72.148,146.60.209.102,147.135.209.40,147.135.210.101,147.147.186.50,147.175.187.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 146"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522290; rev:3093;)
alert ip [147.175.187.180,148.251.11.21,148.251.113.230,148.251.11.39,148.251.14.214,148.251.151.240,148.251.168.226,148.251.176.25,148.251.190.229,148.251.206.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 147"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522292; rev:3093;)
alert ip [148.251.214.53,148.251.221.163,148.251.227.14,148.251.238.253,148.251.254.229,148.251.40.40,148.251.42.164,148.251.55.246,148.59.220.246,149.154.152.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522294; rev:3093;)
alert ip [149.154.157.80,149.154.159.172,149.154.159.87,149.154.71.246,149.172.149.170,149.172.201.153,149.202.101.30,149.202.181.214,149.202.190.14,149.202.192.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522296; rev:3093;)
alert ip [149.202.2.106,149.202.220.80,149.202.238.198,149.202.238.220,149.202.4.241,149.202.57.214,149.202.58.41,149.210.164.228,149.210.221.48,149.210.226.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522298; rev:3093;)
alert ip [149.255.35.242,149.255.37.90,149.56.12.78,149.56.13.125,149.56.140.193,149.56.141.138,149.56.14.37,149.56.185.56,149.56.204.207,149.56.223.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 151"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522300; rev:3093;)
alert ip [149.56.223.244,149.56.233.142,149.56.25.84,149.56.26.237,149.56.45.200,149.86.117.215,149.91.82.97,150.101.243.99,150.146.2.245,150.95.137.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522302; rev:3093;)
alert ip [150.95.173.81,151.1.182.217,151.177.29.27,151.20.242.69,151.20.248.101,151.225.130.246,151.230.29.84,151.236.11.114,151.236.12.126,151.236.218.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522304; rev:3093;)
alert ip [151.236.6.110,151.237.229.131,151.27.116.117,151.32.117.175,151.45.72.30,151.53.20.161,151.80.115.180,151.80.128.12,151.80.141.122,151.80.144.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522306; rev:3093;)
alert ip [151.80.144.253,151.80.145.159,151.80.147.153,151.80.16.34,151.80.40.72,151.80.56.141,151.80.56.62,151.80.59.144,153.120.42.137,153.126.128.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522308; rev:3093;)
alert ip [153.126.158.65,153.126.196.95,153.127.199.124,153.149.98.251,153.202.228.115,153.92.126.234,153.92.127.239,154.35.175.225,154.5.54.64,155.133.38.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522310; rev:3093;)
alert ip [155.254.49.178,155.4.103.214,155.4.229.135,155.98.5.5,155.98.5.6,157.7.143.145,158.140.206.75,158.255.208.148,158.255.212.178,158.255.215.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 157"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522312; rev:3093;)
alert ip [158.255.4.241,158.255.7.61,158.58.170.183,158.58.170.195,158.58.173.24,158.58.173.78,158.69.102.208,158.69.172.226,158.69.204.36,158.69.205.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 158"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522314; rev:3093;)
alert ip [158.69.205.247,158.69.205.92,158.69.207.216,158.69.216.18,158.69.217.34,158.69.247.184,158.69.247.80,158.69.36.152,158.69.48.77,158.69.63.16] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522316; rev:3093;)
alert ip [158.69.63.178,158.69.92.127,159.148.186.130,159.148.186.144,159.148.186.162,159.148.186.172,159.148.186.196,159.148.186.208,159.148.186.236,159.148.186.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 160"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522318; rev:3093;)
alert ip [159.148.186.8,159.148.186.91,159.203.10.141,159.203.10.16,159.203.103.138,159.203.15.100,159.203.17.103,159.203.173.38,159.203.1.86,159.203.193.72] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 161"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522320; rev:3093;)
alert ip [159.203.224.25,159.203.22.51,159.203.234.244,159.203.27.5,159.203.29.240,159.203.32.149,159.203.3.224,159.203.38.250,159.203.41.119,159.203.42.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 162"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522322; rev:3093;)
alert ip [159.203.42.254,159.203.45.104,159.203.45.171,159.203.59.106,159.203.7.221,159.203.85.88,159.203.90.174,159.224.64.79,160.16.228.57,161.53.160.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 163"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522324; rev:3093;)
alert ip [161.97.251.142,162.213.3.221,162.213.38.245,162.216.16.23,162.218.239.125,162.220.165.185,162.220.217.50,162.220.218.109,162.221.202.230,162.226.56.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 164"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522326; rev:3093;)
alert ip [162.243.134.188,162.243.139.73,162.243.195.118,162.243.200.157,162.243.21.103,162.243.255.143,162.243.8.161,162.244.25.214,162.245.23.144,162.247.73.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522328; rev:3093;)
alert ip [162.247.75.118,162.252.243.20,163.172.110.48,163.172.115.22,163.172.128.13,163.172.129.29,163.172.130.220,163.172.131.164,163.172.131.183,163.172.131.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522330; rev:3093;)
alert ip [163.172.13.165,163.172.131.88,163.172.132.167,163.172.132.178,163.172.133.54,163.172.135.172,163.172.137.4,163.172.137.92,163.172.138.22,163.172.139.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 167"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522332; rev:3093;)
alert ip [163.172.139.111,163.172.139.145,163.172.139.170,163.172.141.10,163.172.141.195,163.172.141.33,163.172.142.172,163.172.14.221,163.172.142.92,163.172.143.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 168"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522334; rev:3093;)
alert ip [163.172.143.186,163.172.144.236,163.172.146.169,163.172.146.232,163.172.147.53,163.172.148.176,163.172.149.122,163.172.149.155,163.172.151.234,163.172.152.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 169"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522336; rev:3093;)
alert ip [163.172.152.237,163.172.153.12,163.172.153.78,163.172.154.162,163.172.154.245,163.172.156.137,163.172.156.181,163.172.157.124,163.172.157.213,163.172.159.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522338; rev:3093;)
alert ip [163.172.160.227,163.172.163.104,163.172.163.169,163.172.163.238,163.172.165.6,163.172.167.77,163.172.168.131,163.172.169.253,163.172.170.52,163.172.173.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 171"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522340; rev:3093;)
alert ip [163.172.173.184,163.172.173.34,163.172.175.174,163.172.175.232,163.172.176.167,163.172.176.45,163.172.177.114,163.172.178.182,163.172.179.131,163.172.180.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522342; rev:3093;)
alert ip [163.172.181.239,163.172.183.116,163.172.190.110,163.172.191.234,163.172.194.53,163.172.201.62,163.172.209.161,163.172.210.170,163.172.21.117,163.172.212.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522344; rev:3093;)
alert ip [163.172.213.201,163.172.215.236,163.172.215.60,163.172.215.78,163.172.216.195,163.172.223.132,163.172.223.215,163.172.228.191,163.172.25.118,163.172.27.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522346; rev:3093;)
alert ip [163.172.35.211,163.172.36.205,163.172.42.239,163.172.45.220,163.172.53.84,163.172.56.248,163.172.60.190,163.172.61.28,163.172.69.166,163.172.82.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 175"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522348; rev:3093;)
alert ip [163.172.82.3,163.172.84.95,163.172.86.92,163.172.89.227,163.172.90.128,163.172.94.119,164.132.209.131,164.132.212.100,164.132.225.248,164.132.226.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 176"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522350; rev:3093;)
alert ip [164.132.230.34,164.132.249.244,164.132.38.170,164.132.41.85,164.132.49.205,164.132.77.175,164.215.116.194,164.40.245.204,165.120.218.118,165.227.122.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 177"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522352; rev:3093;)
alert ip [165.227.130.126,165.227.130.167,165.227.135.224,165.227.136.69,165.227.154.118,165.227.20.47,165.227.8.231,165.227.8.5,165.227.90.183,165.227.94.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522354; rev:3093;)
alert ip [166.70.15.14,166.70.94.106,167.114.103.19,167.114.113.134,167.114.121.128,167.114.148.149,167.114.160.128,167.114.219.61,167.114.3.166,167.114.35.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 179"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522356; rev:3093;)
alert ip [167.114.35.107,167.114.35.28,167.114.67.158,167.114.67.4,167.114.71.189,167.114.7.166,167.114.76.195,167.160.161.167,167.160.185.136,167.160.84.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522358; rev:3093;)
alert ip [167.160.84.141,167.88.120.159,167.88.41.8,168.150.251.15,168.205.150.148,168.235.146.20,168.235.154.96,168.235.67.30,168.235.69.79,169.239.128.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522360; rev:3093;)
alert ip [171.233.89.98,171.25.193.9,172.10.235.73,172.104.110.120,172.104.131.38,172.104.148.154,172.104.43.169,172.104.62.11,172.104.67.176,172.104.78.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522362; rev:3093;)
alert ip [172.104.85.43,172.104.88.43,172.221.207.95,172.241.140.26,172.245.126.70,172.245.126.96,172.245.219.133,172.245.24.228,172.245.99.10,172.86.144.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 183"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522364; rev:3093;)
alert ip [172.86.148.10,172.92.128.70,172.93.48.155,172.93.51.60,172.93.51.83,172.93.55.183,172.97.103.47,173.160.180.189,173.170.41.8,173.18.41.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522366; rev:3093;)
alert ip [173.199.115.232,173.199.118.247,173.199.124.17,173.206.132.9,173.208.225.60,173.208.225.61,173.212.197.112,173.212.206.230,173.212.228.203,173.212.231.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522368; rev:3093;)
alert ip [173.212.242.110,173.212.244.108,173.228.91.29,173.22.92.184,173.230.128.232,173.230.153.109,173.230.154.90,173.239.79.203,173.239.79.210,173.247.26.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522370; rev:3093;)
alert ip [173.254.236.135,173.255.205.113,173.255.209.181,173.255.217.222,173.255.218.106,173.255.221.96,173.255.228.134,173.255.228.85,173.255.241.235,173.255.245.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 187"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522372; rev:3093;)
alert ip [173.255.246.162,173.255.250.126,173.255.250.231,173.31.224.94,173.3.242.35,173.48.183.150,173.48.246.133,173.48.58.162,173.52.78.215,173.59.249.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 188"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522374; rev:3093;)
alert ip [173.66.70.16,173.67.9.186,173.68.10.124,173.71.141.91,173.76.173.114,173.79.55.87,173.8.211.74,173.82.151.94,174.0.0.21,174.104.26.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 189"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:3093;)
alert ip [174.109.111.95,174.111.240.217,174.127.228.138,174.138.81.62,174.141.200.41,174.27.71.92,174.28.49.129,174.34.225.215,174.50.172.90,174.51.114.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522378; rev:3093;)
alert ip [174.55.212.152,174.59.110.190,174.63.80.6,174.68.74.231,174.7.16.21,174.97.19.230,175.138.42.194,175.179.249.253,175.203.71.68,176.10.131.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522380; rev:3093;)
alert ip [176.10.137.12,176.10.140.175,176.10.217.142,176.10.253.40,176.103.49.29,176.103.56.31,176.103.57.208,176.103.57.235,176.107.177.15,176.107.185.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 192"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522382; rev:3093;)
alert ip [176.112.242.6,176.114.131.136,176.114.248.47,176.115.38.130,176.118.30.217,176.119.98.186,176.121.81.51,176.123.10.167,176.123.10.3,176.123.10.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522384; rev:3093;)
alert ip [176.123.10.42,176.123.10.67,176.123.10.89,176.123.10.99,176.123.2.254,176.123.26.23,176.123.29.56,176.123.7.197,176.126.242.49,176.14.216.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522386; rev:3093;)
alert ip [176.15.182.231,176.158.155.120,176.158.236.102,176.159.130.165,176.193.226.229,176.194.189.124,176.195.245.42,176.196.98.66,176.197.158.30,176.198.132.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522388; rev:3093;)
alert ip [176.198.68.117,176.20.196.56,176.20.234.102,176.212.75.157,176.28.9.120,176.31.101.92,176.31.102.212,176.31.103.150,176.31.110.48,176.31.116.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 196"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522390; rev:3093;)
alert ip [176.31.117.6,176.31.120.215,176.31.121.194,176.31.125.116,176.31.163.89,176.31.184.255,176.31.191.26,176.31.200.122,176.31.225.204,176.31.23.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 197"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522392; rev:3093;)
alert ip [176.31.240.78,176.31.255.189,176.31.28.63,176.31.35.149,176.31.43.51,176.31.80.115,176.36.215.251,176.38.177.208,176.46.239.67,176.53.22.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 198"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522394; rev:3093;)
alert ip [176.56.237.191,176.58.108.133,176.58.110.66,176.58.113.34,176.58.120.22,176.58.121.159,176.58.96.199,176.63.111.50,176.66.131.31,176.67.169.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522396; rev:3093;)
alert ip [176.9.102.35,176.9.103.8,176.9.104.232,176.9.110.138,176.9.114.182,176.9.1.211,176.9.122.51,176.9.133.154,176.9.140.108,176.9.143.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 200"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522398; rev:3093;)
alert ip [176.9.147.227,176.9.148.176,176.9.155.82,176.9.156.71,176.9.157.222,176.9.158.118,176.9.180.47,176.9.190.240,176.9.208.12,176.9.215.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522400; rev:3093;)
alert ip [176.9.31.215,176.9.38.38,176.9.39.218,176.9.43.26,176.9.46.90,176.9.50.240,176.9.53.52,176.9.54.142,176.9.54.3,176.9.85.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522402; rev:3093;)
alert ip [176.9.8.6,176.9.90.215,176.9.98.109,177.206.97.240,177.234.155.250,177.234.155.98,177.246.231.193,177.251.150.142,177.85.97.121,178.0.110.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 203"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522404; rev:3093;)
alert ip [178.12.225.211,178.132.78.148,178.137.126.19,178.140.104.18,178.140.197.96,178.14.113.18,178.150.0.243,178.150.0.249,178.150.100.55,178.157.198.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 204"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522406; rev:3093;)
alert ip [178.159.0.38,178.16.208.55,178.16.208.56,178.16.208.57,178.16.208.58,178.16.208.59,178.16.208.60,178.16.208.61,178.16.208.62,178.162.194.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 205"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522408; rev:3093;)
alert ip [178.162.194.82,178.162.199.66,178.162.66.212,178.163.100.154,178.165.72.60,178.17.170.149,178.17.170.77,178.17.171.86,178.17.174.2,178.17.174.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 206"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522410; rev:3093;)
alert ip [178.174.172.77,178.18.94.247,178.190.84.68,178.19.104.227,178.191.126.207,178.193.211.203,178.198.173.137,178.19.96.114,178.200.31.8,178.200.56.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 207"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522412; rev:3093;)
alert ip [178.200.73.64,178.201.88.59,178.202.140.94,178.203.190.146,178.209.46.173,178.209.52.162,178.213.227.68,178.215.87.31,178.217.184.32,178.238.224.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 208"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522414; rev:3093;)
alert ip [178.238.232.110,178.24.159.14,178.24.218.158,178.24.54.98,178.24.72.177,178.24.73.127,178.249.167.2,178.251.228.142,178.251.228.50,178.25.205.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 209"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522416; rev:3093;)
alert ip [178.25.217.23,178.252.28.200,178.254.13.92,178.254.20.134,178.254.21.218,178.254.25.6,178.254.30.86,178.254.37.97,178.254.39.85,178.254.40.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522418; rev:3093;)
alert ip [178.254.44.135,178.254.7.88,178.254.9.25,178.255.42.246,178.26.131.140,178.26.131.97,178.27.121.230,178.27.147.35,178.27.162.121,178.27.90.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 211"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522420; rev:3093;)
alert ip [178.32.100.87,178.32.138.157,178.32.189.88,178.32.190.15,178.32.192.9,178.32.216.146,178.32.216.97,178.32.217.68,178.32.221.151,178.32.221.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 212"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522422; rev:3093;)
alert ip [178.32.222.125,178.32.222.21,178.32.223.87,178.32.34.91,178.32.47.140,178.32.54.103,178.32.61.9,178.32.66.43,178.32.76.95,178.33.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522424; rev:3093;)
alert ip [178.33.183.251,178.45.197.178,178.49.253.215,178.62.104.146,178.62.109.164,178.62.112.71,178.62.122.241,178.62.125.125,178.62.13.27,178.62.173.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 214"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522426; rev:3093;)
alert ip [178.62.18.161,178.62.186.155,178.62.196.71,178.62.197.82,178.62.198.54,178.62.199.226,178.62.201.15,178.62.20.117,178.62.202.59,178.62.203.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522428; rev:3093;)
alert ip [178.62.210.138,178.62.217.134,178.62.221.190,178.62.22.36,178.62.237.106,178.62.24.212,178.62.244.168,178.62.251.184,178.62.252.234,178.62.252.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522430; rev:3093;)
alert ip [178.62.36.64,178.62.43.5,178.62.46.7,178.62.60.37,178.62.66.18,178.62.79.227,178.62.86.206,178.62.86.96,178.62.88.111,178.62.9.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 217"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522432; rev:3093;)
alert ip [178.62.93.173,178.62.93.36,178.62.94.243,178.62.98.217,178.63.116.157,178.63.138.17,178.63.154.93,178.63.162.212,178.63.18.25,178.63.19.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522434; rev:3093;)
alert ip [178.63.25.10,178.63.27.82,178.63.65.179,178.63.78.8,178.63.85.14,178.66.1.187,178.73.210.118,178.75.148.206,178.78.213.214,178.79.134.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 219"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522436; rev:3093;)
alert ip [178.79.136.230,178.79.139.17,178.79.157.60,178.79.158.221,178.79.159.147,178.79.159.224,178.79.160.57,178.79.161.152,178.79.161.177,178.79.163.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 220"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522438; rev:3093;)
alert ip [178.79.165.21,178.79.169.98,178.79.173.147,178.79.177.148,178.83.171.83,178.83.190.108,178.84.83.252,178.85.43.158,179.34.227.81,179.43.158.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 221"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522440; rev:3093;)
alert ip [179.43.168.166,179.43.169.14,179.43.183.102,179.43.188.206,179.43.189.210,179.48.248.17,180.181.117.164,180.181.144.13,180.26.33.202,181.1.2.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522442; rev:3093;)
alert ip [181.30.14.126,18.181.5.37,181.93.5.174,182.171.143.55,182.171.233.68,182.171.77.82,18.220.148.128,183.77.197.79,184.100.125.176,184.100.144.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522444; rev:3093;)
alert ip [184.100.231.37,184.106.109.244,184.146.26.218,184.152.4.239,184.160.119.133,184.167.146.119,184.183.5.203,184.56.173.16,184.60.135.64,184.90.73.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522446; rev:3093;)
alert ip [185.100.84.251,185.100.85.132,185.100.85.175,185.100.85.207,185.100.85.244,185.100.86.249,185.100.87.239,185.100.87.43,185.101.218.220,185.101.98.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522448; rev:3093;)
alert ip [185.103.135.19,185.103.158.97,185.103.243.74,185.104.184.51,185.104.185.170,185.104.248.164,185.10.68.118,185.10.68.159,185.107.224.208,185.109.146.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 226"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522450; rev:3093;)
alert ip [185.111.219.109,185.111.219.11,185.112.157.126,185.112.82.102,185.117.118.132,185.117.88.92,185.12.28.116,185.123.102.38,185.125.217.66,185.125.33.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 227"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522452; rev:3093;)
alert ip [185.128.40.90,185.129.249.124,185.129.60.131,185.133.210.188,185.13.38.197,185.13.39.197,185.140.54.65,185.141.25.172,185.14.185.118,185.145.128.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522454; rev:3093;)
alert ip [185.145.130.73,185.145.131.165,185.146.228.150,185.146.228.151,185.148.145.115,185.148.145.140,185.148.145.71,185.148.145.74,185.150.189.170,185.150.189.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522456; rev:3093;)
alert ip [185.150.190.10,185.150.190.24,185.150.191.56,185.15.244.124,185.153.198.118,185.153.198.222,185.155.96.235,185.155.96.249,185.156.173.148,185.157.160.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 230"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522458; rev:3093;)
alert ip [185.157.232.34,185.157.233.42,185.15.72.62,185.15.73.117,185.159.128.83,185.15.92.76,185.15.94.14,185.15.94.17,185.16.172.155,185.16.173.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522460; rev:3093;)
alert ip [185.16.173.86,185.162.10.157,185.163.45.150,185.163.45.244,185.165.168.168,185.165.168.170,185.165.168.73,185.170.112.183,185.181.229.77,185.182.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522462; rev:3093;)
alert ip [185.183.107.194,185.183.107.30,185.185.40.111,185.186.244.60,185.189.113.90,185.189.14.42,185.19.123.237,185.198.56.139,185.202.196.180,185.20.227.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 233"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522464; rev:3093;)
alert ip [185.203.117.50,185.206.145.235,185.206.36.169,185.208.210.20,185.208.210.29,185.208.210.30,185.21.100.163,185.21.101.50,185.21.216.157,185.21.216.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522466; rev:3093;)
alert ip [185.21.216.189,185.21.216.195,185.21.216.198,185.21.217.13,185.21.217.29,185.21.217.33,185.214.71.164,185.216.33.126,185.217.0.69,185.217.0.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522468; rev:3093;)
alert ip [185.217.0.97,185.22.173.162,185.22.67.211,185.25.216.237,185.25.48.76,185.26.156.28,185.26.156.45,185.26.156.50,185.29.156.231,185.32.160.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522470; rev:3093;)
alert ip [185.32.221.201,185.32.221.228,185.35.138.92,185.37.145.44,185.37.226.197,185.37.72.202,185.40.31.122,185.41.154.130,185.44.76.144,185.44.76.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 237"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522472; rev:3093;)
alert ip [185.46.201.244,185.47.63.128,185.4.92.67,185.56.89.141,185.58.21.199,185.5.9.188,185.61.148.121,185.61.148.189,185.61.149.116,185.61.150.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522474; rev:3093;)
alert ip [185.6.29.55,185.63.253.130,185.65.244.235,185.69.52.19,185.69.53.188,185.72.178.72,185.72.244.37,185.72.247.145,185.7.254.67,185.72.66.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 239"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522476; rev:3093;)
alert ip [185.72.66.252,185.73.220.8,185.73.240.205,185.76.145.109,185.77.129.35,185.78.67.40,185.80.222.105,185.80.222.158,185.80.222.164,185.81.109.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 240"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522478; rev:3093;)
alert ip [185.81.164.254,185.81.96.14,185.82.201.54,185.82.202.28,185.82.203.209,185.82.217.70,185.8.236.131,185.8.237.45,185.8.238.139,185.86.148.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522480; rev:3093;)
alert ip [185.86.149.205,185.86.149.230,185.86.149.75,185.86.149.85,185.86.150.78,185.8.63.38,185.86.79.46,185.87.185.221,185.87.186.27,185.87.50.190] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 242"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522482; rev:3093;)
alert ip [185.90.61.159,185.90.61.23,185.90.61.35,185.9.19.83,185.92.68.9,185.94.193.148,185.94.193.154,185.94.193.158,185.94.193.194,185.94.193.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 243"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522484; rev:3093;)
alert ip [185.96.180.164,185.96.180.29,185.96.88.164,185.96.88.29,185.97.32.34,185.97.32.36,185.99.134.220,186.120.225.119,186.203.12.18,186.222.7.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 244"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522486; rev:3093;)
alert ip [187.163.84.205,187.60.93.196,187.63.100.24,188.107.7.8,188.114.140.245,188.118.198.244,188.118.217.236,188.120.234.26,188.120.243.128,188.120.243.32] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 245"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522488; rev:3093;)
alert ip [188.121.184.145,188.134.5.47,188.134.5.92,188.134.6.66,188.138.102.98,188.138.112.60,188.138.61.165,188.138.70.162,188.138.75.101,188.141.73.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522490; rev:3093;)
alert ip [188.142.200.211,188.143.121.152,188.164.154.18,188.165.0.171,188.165.106.249,188.165.138.72,188.165.139.175,188.165.142.97,188.165.145.157,188.165.194.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522492; rev:3093;)
alert ip [188.165.19.61,188.165.212.152,188.165.213.156,188.165.218.31,188.165.220.21,188.165.222.39,188.165.228.38,188.165.228.64,188.165.236.18,188.165.27.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 248"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522494; rev:3093;)
alert ip [188.165.28.152,188.165.28.25,188.165.4.224,188.165.50.244,188.165.5.14,188.165.5.67,188.165.58.241,188.165.59.43,188.165.6.66,188.166.122.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 249"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522496; rev:3093;)
alert ip [188.166.133.133,188.166.158.100,188.166.168.73,188.166.16.91,188.166.178.56,188.166.19.224,188.166.20.124,188.166.209.214,188.166.219.207,188.166.23.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 250"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522498; rev:3093;)
alert ip [188.166.24.205,188.166.245.217,188.166.246.106,188.166.255.209,188.166.33.15,188.166.4.109,188.166.41.210,188.166.48.132,188.166.50.222,188.166.56.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 251"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522500; rev:3093;)
alert ip [188.166.67.231,188.166.8.152,188.166.87.161,188.166.94.214,188.168.34.90,188.172.153.42,188.174.161.111,188.174.172.50,188.174.178.230,188.181.93.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522502; rev:3093;)
alert ip [188.192.145.3,188.192.156.190,188.192.196.221,188.192.245.163,188.193.109.132,188.193.21.38,188.193.233.73,188.193.2.6,188.194.123.108,188.194.93.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522504; rev:3093;)
alert ip [188.195.172.223,188.195.173.25,188.195.52.10,18.82.0.86,18.82.1.29,188.213.170.104,188.213.28.222,188.213.49.133,188.213.49.55,188.214.128.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 254"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522506; rev:3093;)
alert ip [188.214.128.64,188.214.129.21,188.214.30.153,188.214.30.159,188.214.30.220,188.214.30.98,188.221.111.222,188.221.78.241,188.222.106.239,188.226.130.88] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 255"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522508; rev:3093;)
alert ip [188.226.148.15,188.226.149.124,188.226.221.243,188.226.222.19,188.226.237.154,188.226.247.86,188.226.71.132,188.227.201.133,188.230.91.173,18.82.3.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 256"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522510; rev:3093;)
alert ip [18.82.3.196,18.82.3.205,188.240.208.219,188.240.208.89,188.241.58.10,188.242.134.102,188.243.225.14,188.243.26.62,188.243.68.220,188.243.99.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 257"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522512; rev:3093;)
alert ip [188.244.43.25,188.246.204.67,188.25.182.181,188.25.243.6,188.32.115.6,188.32.242.244,188.36.77.241,188.40.100.199,188.40.107.205,188.40.109.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522514; rev:3093;)
alert ip [188.40.110.214,188.40.128.246,188.40.140.87,188.40.159.122,188.40.166.29,188.40.206.5,188.40.235.215,188.40.248.57,188.40.41.115,188.40.44.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 259"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522516; rev:3093;)
alert ip [188.40.49.86,188.40.51.232,188.40.76.115,188.40.91.87,188.4.217.205,188.42.216.83,188.42.253.7,188.42.254.47,188.64.45.105,188.68.33.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 260"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522518; rev:3093;)
alert ip [188.68.36.209,188.68.57.188,188.77.220.152,188.78.204.44,188.93.213.75,188.97.167.239,188.98.6.187,188.98.6.93,188.99.61.195,189.124.193.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 261"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522520; rev:3093;)
alert ip [189.207.214.180,189.60.72.157,189.62.119.168,190.10.8.152,190.10.8.68,190.111.29.98,190.1.228.61,190.123.47.116,190.156.200.202,190.17.26.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 262"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522522; rev:3093;)
alert ip [190.17.6.56,190.210.98.90,190.22.73.183,190.56.60.64,190.97.165.141,191.101.31.84,191.176.234.122,191.178.250.236,191.191.97.145,191.34.135.65] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 263"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522524; rev:3093;)
alert ip [192.110.160.146,192.111.150.62,192.124.250.83,192.155.83.101,192.155.95.222,192.157.239.243,192.161.235.132,192.162.133.3,192.162.141.53,192.162.26.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522526; rev:3093;)
alert ip [192.162.26.38,192.162.26.42,192.163.224.51,192.165.67.254,192.166.218.151,192.166.218.216,192.166.219.194,192.169.166.157,192.169.168.39,192.171.61.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 265"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522528; rev:3093;)
alert ip [192.173.158.64,192.184.81.160,192.184.82.128,192.184.85.92,192.187.126.204,192.195.83.134,192.210.192.229,192.210.203.16,192.211.49.217,192.222.191.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 266"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522530; rev:3093;)
alert ip [192.222.248.192,192.227.143.25,192.227.243.249,192.228.204.196,192.240.123.2,192.241.134.62,192.241.148.108,192.241.153.159,192.241.180.163,192.241.180.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522532; rev:3093;)
alert ip [192.241.187.237,192.241.189.130,192.241.195.178,192.241.197.81,192.241.206.171,192.241.210.101,192.241.216.120,192.241.233.203,192.249.63.151,192.30.32.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 268"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522534; rev:3093;)
alert ip [192.3.148.27,192.3.239.245,192.33.193.24,192.36.27.6,192.36.27.7,192.36.38.33,192.42.113.102,192.42.115.101,192.42.115.102,192.42.116.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522536; rev:3093;)
alert ip [192.44.30.40,192.52.167.70,192.52.167.71,192.52.183.232,192.52.2.49,192.71.245.137,192.71.245.36,192.81.132.46,192.81.214.126,192.81.217.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 270"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522538; rev:3093;)
alert ip [192.81.218.137,192.81.250.118,192.87.28.28,192.87.28.82,192.95.22.146,192.95.25.202,192.95.27.143,192.99.10.202,192.99.13.48,192.99.154.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522540; rev:3093;)
alert ip [192.99.246.101,192.99.54.179,192.99.54.193,192.99.54.5,192.99.57.111,192.99.59.70,192.99.6.28,192.99.63.44,192.99.69.17,192.99.9.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522542; rev:3093;)
alert ip [193.0.213.42,193.104.220.35,193.104.220.54,193.104.254.166,193.105.134.42,193.105.134.56,193.105.134.57,193.10.5.153,193.105.73.80,193.106.166.105] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522544; rev:3093;)
alert ip [193.108.249.215,193.11.112.188,193.111.140.153,193.111.141.160,193.11.114.43,193.11.114.45,193.11.114.46,193.11.114.69,193.111.26.37,193.11.164.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522546; rev:3093;)
alert ip [193.11.166.194,193.124.182.191,193.124.191.59,193.138.118.8,193.138.118.94,193.150.121.78,193.150.14.60,193.165.137.202,193.165.189.6,193.183.98.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522548; rev:3093;)
alert ip [193.190.168.51,193.190.168.53,193.19.118.171,193.200.241.195,193.224.163.43,193.227.196.10,193.228.143.17,193.228.143.225,193.23.244.244,193.233.60.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522550; rev:3093;)
alert ip [193.233.60.90,193.24.209.70,193.35.52.53,193.37.152.133,193.37.152.199,193.42.156.106,193.70.112.165,193.70.15.58,193.70.38.152,193.70.39.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 277"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522552; rev:3093;)
alert ip [193.70.43.102,193.70.43.20,193.70.43.76,193.70.73.242,193.70.90.199,193.7.177.223,194.104.0.100,194.109.206.212,194.1.238.115,194.126.175.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522554; rev:3093;)
alert ip [194.150.168.108,194.187.205.151,194.187.207.21,194.187.207.45,194.187.249.116,194.42.108.5,194.63.139.230,194.67.214.123,194.67.219.154,194.88.143.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 279"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522556; rev:3093;)
alert ip [194.96.126.205,195.113.199.99,195.12.190.38,195.123.209.96,195.123.210.38,195.12.48.109,195.12.48.212,195.12.48.76,195.12.48.77,195.12.48.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 280"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522558; rev:3093;)
alert ip [195.133.48.81,195.13.50.211,195.148.124.199,195.154.162.172,195.154.163.119,195.154.164.243,195.154.164.34,195.154.165.64,195.154.171.24,195.154.177.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522560; rev:3093;)
alert ip [195.154.181.146,195.154.200.129,195.154.209.91,195.154.221.65,195.154.226.249,195.154.235.34,195.154.237.147,195.154.240.145,195.154.241.125,195.154.242.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 282"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522562; rev:3093;)
alert ip [195.154.250.239,195.154.251.25,195.154.252.88,195.154.253.226,195.154.255.174,195.16.89.145,195.169.125.226,195.170.63.164,195.176.247.88,195.180.11.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522564; rev:3093;)
alert ip [195.181.208.180,195.181.211.88,195.181.223.225,195.181.246.187,195.191.158.17,195.191.233.221,195.200.236.197,195.216.94.52,195.22.127.160,195.225.211.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 284"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522566; rev:3093;)
alert ip [195.228.75.149,195.230.168.83,195.234.152.86,195.238.190.101,195.251.252.226,195.28.182.237,195.30.107.220,195.42.115.162,195.62.52.120,195.62.53.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522568; rev:3093;)
alert ip [195.71.68.84,195.88.208.149,195.91.211.69,195.91.244.98,198.100.144.33,198.100.147.184,198.100.148.112,198.100.148.146,198.101.8.214,198.105.223.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 286"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522570; rev:3093;)
alert ip [198.12.118.14,198.147.22.82,198.148.81.167,198.154.106.54,198.167.223.44,198.199.118.134,198.199.64.217,198.199.90.205,198.204.240.82,198.211.104.110] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522572; rev:3093;)
alert ip [198.211.120.25,198.211.124.214,198.211.125.242,198.23.161.150,198.233.204.165,198.244.104.174,198.245.50.175,198.245.50.57,198.252.121.79,198.255.94.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 288"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522574; rev:3093;)
alert ip [198.27.109.36,198.27.191.62,198.27.64.215,198.27.66.209,198.27.69.201,198.27.80.201,198.27.86.221,198.46.153.51,198.48.130.25,198.50.128.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 289"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522576; rev:3093;)
alert ip [198.50.128.234,198.50.135.213,198.50.146.252,198.50.147.70,198.50.191.95,198.50.236.124,198.51.75.52,198.58.102.234,198.58.110.223,198.71.81.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 290"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522578; rev:3093;)
alert ip [198.72.229.35,198.74.56.191,198.74.57.57,198.74.60.26,198.74.61.51,198.96.155.9,198.98.50.212,198.98.62.56,199.115.205.248,199.15.250.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 291"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522580; rev:3093;)
alert ip [199.175.49.147,199.181.238.127,199.184.246.250,199.188.194.53,199.189.62.251,199.19.213.176,199.195.249.221,199.19.85.252,199.200.15.10,199.231.85.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 292"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522582; rev:3093;)
alert ip [199.241.29.223,199.254.238.53,199.255.223.88,200.122.181.15,200.73.251.82,200.8.206.216,201.17.58.90,201.214.174.246,202.129.80.154,202.53.47.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 293"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522584; rev:3093;)
alert ip [203.141.154.202,203.186.69.98,203.206.25.146,203.220.189.110,203.7.77.255,204.13.164.110,204.152.220.247,204.152.220.248,204.186.244.66,204.27.63.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522586; rev:3093;)
alert ip [204.44.75.210,204.83.204.143,204.9.50.25,205.178.25.71,205.185.124.82,205.204.69.19,206.174.113.156,206.192.252.17,206.221.184.158,206.223.203.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522588; rev:3093;)
alert ip [206.248.134.68,206.40.118.229,206.55.74.1,206.63.229.144,207.154.208.184,207.154.208.75,207.154.217.3,207.154.226.140,207.154.239.150,207.154.248.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 296"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522590; rev:3093;)
alert ip [207.181.237.93,207.236.124.177,207.244.75.198,207.6.121.227,208.113.133.247,208.113.165.162,208.113.166.5,208.118.235.48,208.38.243.107,208.64.220.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 297"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522592; rev:3093;)
alert ip [208.79.209.124,208.80.154.39,208.83.223.34,208.94.242.26,208.95.3.28,209.102.247.122,209.126.71.233,209.141.34.240,209.141.35.232,209.141.36.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 298"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522594; rev:3093;)
alert ip [209.141.40.22,209.141.49.38,209.141.50.138,209.141.52.13,209.141.60.229,209.171.163.168,209.181.61.219,209.197.145.194,209.208.79.5,209.240.109.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 299"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522596; rev:3093;)
alert ip [209.44.114.178,209.58.160.138,209.58.178.49,209.58.180.90,209.6.79.180,209.90.224.5,209.95.48.163,210.1.204.177,210.152.241.60,210.185.115.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 300"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522598; rev:3093;)
alert ip [210.223.103.24,210.3.102.154,210.3.102.165,2.104.52.160,210.54.35.24,2.110.219.47,2.110.60.68,212.10.111.106,212.10.111.112,212.10.153.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522600; rev:3093;)
alert ip [212.107.138.107,212.110.189.186,212.111.40.177,212.111.41.143,212.114.228.30,212.117.180.107,212.117.180.33,212.117.180.45,212.119.243.30,212.129.0.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 302"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522602; rev:3093;)
alert ip [212.129.19.196,212.129.34.13,212.129.42.9,212.129.4.84,212.129.49.59,212.129.62.232,212.159.100.232,212.159.112.196,212.159.177.198,212.159.79.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522604; rev:3093;)
alert ip [212.16.170.158,212.17.102.77,212.181.206.122,212.186.197.229,212.186.71.38,212.186.79.250,212.187.200.170,212.198.84.177,212.201.68.152,212.224.76.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522606; rev:3093;)
alert ip [212.224.78.234,212.224.95.161,212.224.95.231,212.227.8.137,212.232.29.101,212.237.35.67,212.237.56.227,212.238.160.33,212.238.208.48,212.24.104.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 305"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522608; rev:3093;)
alert ip [212.24.105.154,212.24.106.116,212.24.110.13,212.24.111.7,212.251.211.254,212.3.112.226,212.47.227.58,212.47.227.71,212.47.227.75,212.47.229.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 306"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522610; rev:3093;)
alert ip [212.47.229.2,212.47.230.49,212.47.230.5,212.47.231.241,212.47.232.236,212.47.232.3,212.47.233.134,212.47.233.235,212.47.233.45,212.47.233.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522612; rev:3093;)
alert ip [212.47.234.192,212.47.234.212,212.47.235.80,212.47.236.95,212.47.237.191,212.47.237.32,212.47.238.193,212.47.238.65,212.47.239.101,212.47.239.151] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 308"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522614; rev:3093;)
alert ip [212.47.239.163,212.47.239.187,212.47.239.83,212.47.240.10,212.47.240.189,212.47.241.21,212.47.243.166,212.47.244.114,212.47.244.38,212.47.244.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 309"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522616; rev:3093;)
alert ip [212.47.245.76,212.47.246.18,212.47.246.211,212.47.246.229,212.47.248.10,212.47.248.113,212.47.250.57,212.47.252.91,212.50.120.191,212.51.134.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522618; rev:3093;)
alert ip [212.51.139.25,212.51.143.146,212.51.143.20,212.51.147.191,212.51.150.184,212.51.151.250,212.51.156.224,212.51.156.78,212.51.159.148,212.60.126.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 311"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522620; rev:3093;)
alert ip [212.60.130.72,212.69.166.122,212.71.253.226,212.7.217.52,212.74.233.18,212.74.233.21,212.74.254.243,212.83.143.46,212.83.154.33,212.83.158.20] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 312"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522622; rev:3093;)
alert ip [212.83.158.5,212.83.165.54,212.83.174.26,212.83.176.58,212.86.53.174,212.89.225.242,212.96.63.171,213.108.108.235,213.109.56.200,213.112.199.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 313"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522624; rev:3093;)
alert ip [213.113.116.117,213.113.214.106,213.113.52.10,213.114.144.249,213.114.154.207,213.114.155.106,213.114.226.17,213.114.231.7,213.124.169.159,213.124.179.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 314"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522626; rev:3093;)
alert ip [213.131.6.186,213.133.99.156,213.135.198.106,213.136.71.21,213.136.77.251,213.136.80.109,213.136.81.89,213.136.82.192,213.136.94.10,213.137.18.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 315"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522628; rev:3093;)
alert ip [213.138.100.68,213.138.102.209,213.138.109.144,213.138.113.232,213.140.92.199,213.141.138.174,213.141.150.19,213.144.146.77,213.144.157.75,213.152.161.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 316"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522630; rev:3093;)
alert ip [213.152.161.40,213.153.84.215,213.157.15.235,213.162.132.85,213.163.70.234,213.167.242.183,213.169.148.151,213.17.124.178,213.183.48.84,213.183.56.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 317"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522632; rev:3093;)
alert ip [213.184.126.2,213.184.126.242,213.184.127.226,213.188.245.139,213.195.109.234,213.197.22.124,213.202.233.36,213.202.247.35,213.21.26.171,213.21.26.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 318"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522634; rev:3093;)
alert ip [213.226.180.166,213.233.226.123,213.239.197.25,213.239.205.239,213.239.211.41,213.239.212.20,213.239.216.222,213.239.217.18,213.239.217.68,213.239.249.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522636; rev:3093;)
alert ip [213.243.172.46,213.246.56.79,213.246.56.95,213.251.226.175,213.254.32.26,213.32.119.219,213.32.21.55,213.32.241.238,213.32.55.195,213.32.66.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 320"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522638; rev:3093;)
alert ip [213.32.68.101,213.32.90.15,213.45.170.44,213.47.176.238,213.64.65.106,213.66.28.170,2.137.20.68,213.73.99.182,213.89.134.172,2.139.216.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 321"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522640; rev:3093;)
alert ip [213.93.31.148,213.95.86.180,213.99.222.33,216.12.171.170,216.127.173.78,216.127.187.29,216.158.226.216,216.185.144.100,216.19.178.143,216.195.133.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 322"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522642; rev:3093;)
alert ip [216.218.222.10,216.218.222.14,216.24.174.245,216.24.242.34,216.244.85.211,216.252.162.19,216.51.232.227,216.55.181.21,217.103.193.83,217.106.239.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522644; rev:3093;)
alert ip [217.107.193.10,217.112.131.24,217.112.131.98,217.113.158.52,217.115.127.58,217.11.57.226,217.117.227.226,217.12.199.108,217.12.199.190,217.12.199.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 324"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522646; rev:3093;)
alert ip [217.12.202.111,217.12.202.116,217.12.202.40,217.12.202.53,217.12.202.58,217.12.203.46,217.12.204.120,217.12.204.149,217.12.204.174,217.12.208.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522648; rev:3093;)
alert ip [217.12.210.207,217.12.210.95,217.122.175.19,217.12.223.214,217.12.223.215,217.12.223.216,217.12.223.217,217.12.223.218,217.147.214.107,217.150.227.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 326"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522650; rev:3093;)
alert ip [217.155.10.18,217.155.40.118,217.160.13.173,217.160.141.52,217.160.15.247,217.160.178.10,217.172.172.8,217.172.190.251,217.182.102.242,217.182.231.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 327"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522652; rev:3093;)
alert ip [217.182.73.4,217.182.75.181,217.182.75.36,217.182.85.154,217.182.86.44,217.182.90.137,217.182.94.173,217.197.240.244,217.197.83.162,217.197.86.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 328"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522654; rev:3093;)
alert ip [217.197.91.145,217.20.112.213,217.20.130.72,217.209.179.202,217.210.64.254,217.22.141.89,217.224.41.172,217.228.210.7,217.23.15.200,217.235.159.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 329"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522656; rev:3093;)
alert ip [217.235.69.101,217.235.76.75,217.23.7.103,217.238.228.212,217.238.239.185,217.249.80.63,217.251.89.171,217.63.200.51,217.64.127.174,217.69.144.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 330"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522658; rev:3093;)
alert ip [217.79.178.60,217.79.179.177,217.79.182.95,217.79.190.25,217.81.247.55,217.84.98.50,217.85.173.59,217.85.180.233,217.8.61.67,217.86.254.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522660; rev:3093;)
alert ip [217.86.26.49,217.87.104.63,217.92.54.146,217.95.26.97,2.190.11.52,219.111.151.219,219.117.206.46,219.117.241.101,220.135.161.179,220.233.123.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522662; rev:3093;)
alert ip [220.240.152.221,220.240.80.150,220.253.12.10,221.121.153.184,221.39.78.201,222.10.49.182,222.12.87.83,222.152.75.99,2.225.231.92,2.230.164.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522664; rev:3093;)
alert ip [223.16.90.167,223.197.177.165,223.197.177.49,2.234.130.233,2.235.216.169,2.236.9.67,2.242.70.119,23.105.70.174,2.31.69.65,23.226.231.158] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 334"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522666; rev:3093;)
alert ip [23.227.199.226,23.235.4.101,23.236.50.86,23.239.10.144,23.239.113.101,23.239.145.125,23.239.22.19,23.239.2.7,23.239.27.28,23.239.30.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 335"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522668; rev:3093;)
alert ip [23.240.32.151,23.244.69.180,23.253.57.42,23.254.128.38,23.254.165.250,23.254.166.222,23.254.167.231,23.81.66.90,23.91.124.124,23.92.138.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522670; rev:3093;)
alert ip [23.92.19.113,23.92.21.74,23.92.222.214,23.92.83.233,23.95.113.5,23.97.172.229,24.108.240.199,24.117.231.229,24.130.221.118,24.130.248.235] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 337"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522672; rev:3093;)
alert ip [24.14.136.134,24.147.89.4,24.148.59.185,24.151.1.51,24.154.185.97,24.157.146.7,24.163.106.7,24.17.211.5,24.209.62.187,24.21.143.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 338"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522674; rev:3093;)
alert ip [24.2.216.29,24.22.246.162,24.22.64.232,24.248.203.49,24.30.59.18,24.3.140.142,24.35.77.155,24.40.143.53,24.54.152.124,24.61.42.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522676; rev:3093;)
alert ip [24.6.174.94,24.71.168.153,24.77.115.137,24.80.227.241,24.85.72.185,24.8.76.174,24.96.173.104,24.98.72.86,2.7.154.187,27.50.87.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 340"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522678; rev:3093;)
alert ip [27.64.121.247,2.92.133.8,2.93.9.1,31.129.166.78,31.130.48.109,31.132.156.136,31.135.243.138,31.14.138.27,31.15.66.218,31.16.110.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 341"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522680; rev:3093;)
alert ip [31.16.53.18,31.170.105.77,31.170.82.41,31.171.155.102,31.171.155.103,31.171.155.108,31.171.155.29,31.171.244.193,31.17.179.130,31.178.139.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 342"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522682; rev:3093;)
alert ip [31.179.132.42,31.179.24.189,31.18.14.162,31.18.152.33,31.184.198.152,31.184.198.183,31.192.174.73,31.192.204.204,31.201.243.214,31.204.128.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 343"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522684; rev:3093;)
alert ip [31.207.227.140,31.208.41.41,31.208.8.205,31.209.52.65,31.214.157.83,31.220.45.216,31.220.7.143,31.28.168.174,31.31.73.200,31.31.73.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522686; rev:3093;)
alert ip [31.31.74.177,31.31.74.47,31.31.77.176,31.31.78.49,31.41.219.228,31.43.129.239,31.47.252.177,31.54.71.247,31.7.186.142,34.201.82.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 345"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522688; rev:3093;)
alert ip [34.202.25.15,34.214.31.61,34.250.125.1,34.250.46.74,34.251.131.79,34.251.231.72,34.251.248.90,35.157.59.169,35.163.47.243,35.164.117.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 346"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522690; rev:3093;)
alert ip [35.164.54.193,35.188.143.6,35.188.21.171,35.190.152.35,35.202.23.233,36.55.243.60,37.113.173.117,37.120.104.214,37.120.160.12,37.120.166.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 347"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522692; rev:3093;)
alert ip [37.120.169.95,37.120.172.242,37.120.173.146,37.120.174.249,37.120.178.124,37.120.178.6,37.120.184.45,37.120.185.98,37.120.8.167,37.122.208.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 348"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522694; rev:3093;)
alert ip [37.123.113.29,37.134.197.41,37.139.24.90,37.14.196.72,37.145.226.109,37.147.101.131,37.15.122.94,37.153.1.10,37.153.16.134,37.157.195.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 349"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522696; rev:3093;)
alert ip [37.157.195.87,37.157.196.142,37.187.0.83,37.187.101.179,37.187.101.180,37.187.102.108,37.187.102.186,37.187.102.202,37.187.103.156,37.187.104.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 350"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522698; rev:3093;)
alert ip [37.187.104.178,37.187.105.65,37.187.105.68,37.187.107.91,37.187.110.237,37.187.111.205,37.187.112.64,37.187.115.157,37.187.115.47,37.187.120.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 351"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522700; rev:3093;)
alert ip [37.187.1.29,37.187.130.226,37.187.16.175,37.187.16.43,37.187.176.64,37.187.17.67,37.187.177.2,37.187.180.112,37.187.180.18,37.187.180.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 352"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522702; rev:3093;)
alert ip [37.187.20.59,37.187.20.79,37.187.21.157,37.187.21.28,37.187.22.131,37.187.2.230,37.187.22.87,37.187.23.169,37.187.23.232,37.187.239.8] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 353"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522704; rev:3093;)
alert ip [37.187.30.2,37.187.30.78,37.187.3.106,37.187.31.39,37.187.4.8,37.187.4.81,37.187.51.225,37.187.72.24,37.187.78.210,37.187.90.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522706; rev:3093;)
alert ip [37.187.90.149,37.187.96.183,37.187.96.78,37.187.96.84,37.187.97.31,37.187.97.95,37.187.98.185,37.187.99.84,37.191.156.74,37.191.160.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522708; rev:3093;)
alert ip [37.191.229.34,37.191.234.150,37.193.70.65,37.200.98.117,37.200.99.251,37.201.127.126,37.201.135.18,37.201.175.13,37.201.46.246,37.205.11.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 356"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522710; rev:3093;)
alert ip [37.205.8.191,37.205.9.131,37.209.119.10,37.218.247.217,37.220.18.41,37.221.162.226,37.221.171.234,37.221.196.137,37.221.196.31,37.221.198.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 357"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522712; rev:3093;)
alert ip [37.221.213.59,37.228.129.56,37.228.134.103,37.229.212.29,37.230.119.37,37.233.99.157,37.235.48.247,37.235.49.124,37.235.49.138,37.235.49.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 358"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522714; rev:3093;)
alert ip [37.235.52.67,37.235.55.83,37.235.56.180,37.235.60.77,37.24.229.143,37.247.49.139,37.252.185.87,37.252.190.176,37.35.107.238,37.4.236.212] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 359"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522716; rev:3093;)
alert ip [37.48.120.47,37.48.122.22,37.48.71.227,37.48.83.229,37.58.57.231,37.59.102.148,37.59.107.185,37.59.118.7,37.59.119.118,37.59.125.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522718; rev:3093;)
alert ip [37.59.127.105,37.59.29.31,37.59.37.59,37.59.39.161,37.59.40.193,37.59.51.217,37.59.72.132,37.61.209.150,37.8.236.184,37.97.185.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 361"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522720; rev:3093;)
alert ip [37.97.202.76,38.131.227.141,38.229.70.51,38.229.70.52,38.229.70.53,38.229.70.54,38.229.70.61,38.229.79.2,40.134.93.214,40.83.147.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 362"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522722; rev:3093;)
alert ip [42.112.16.193,42.112.16.194,42.112.16.198,42.112.16.200,42.112.16.42,42.112.20.116,42.124.36.252,43.231.114.52,43.240.12.58,43.252.37.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 363"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522724; rev:3093;)
alert ip [43.255.32.133,45.123.118.101,45.20.67.1,45.249.61.131,45.249.61.132,45.249.90.26,45.32.117.1,45.32.146.85,45.32.151.73,45.32.154.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522726; rev:3093;)
alert ip [45.32.158.56,45.32.167.8,45.32.171.227,45.32.195.199,45.32.207.172,45.32.219.222,45.32.234.214,45.32.238.101,45.32.240.31,45.32.245.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 365"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522728; rev:3093;)
alert ip [45.32.246.15,45.32.250.46,45.32.30.178,45.32.31.42,45.32.36.228,45.32.40.253,45.33.100.121,45.33.111.116,45.33.121.242,45.33.124.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 366"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522730; rev:3093;)
alert ip [45.33.34.211,45.33.60.105,45.33.60.47,45.33.75.28,45.33.83.135,45.33.90.50,45.34.143.4,45.35.72.85,45.50.173.159,45.50.77.52] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 367"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522732; rev:3093;)
alert ip [45.55.108.110,45.55.12.23,45.55.129.39,45.55.167.33,45.55.182.63,45.55.19.132,45.55.194.175,45.55.236.19,45.55.8.14,45.56.76.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 368"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522734; rev:3093;)
alert ip [45.56.89.8,45.56.99.84,45.58.192.155,45.58.49.251,45.58.60.127,45.62.116.32,45.62.211.6,45.62.233.205,45.62.235.202,45.62.235.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 369"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522736; rev:3093;)
alert ip [45.62.235.44,45.62.243.158,45.62.243.36,45.63.14.225,45.63.24.140,45.63.24.164,45.63.25.179,45.63.25.235,45.63.26.48,45.63.28.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 370"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522738; rev:3093;)
alert ip [45.63.67.113,45.63.77.230,45.63.8.229,45.63.89.53,45.63.9.89,45.76.10.133,45.76.107.140,45.76.119.205,45.76.131.160,45.76.140.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 371"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522740; rev:3093;)
alert ip [45.76.142.198,45.76.149.112,45.76.177.51,45.76.192.217,45.76.196.74,45.76.26.158,45.76.32.13,45.76.39.74,45.76.42.132,45.76.42.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 372"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522742; rev:3093;)
alert ip [45.76.5.206,45.76.6.23,45.76.80.29,45.76.82.223,45.76.86.86,45.76.89.215,45.76.92.117,45.76.94.126,45.76.94.181,45.76.95.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 373"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522744; rev:3093;)
alert ip [45.77.0.145,45.77.114.107,45.77.53.109,45.77.56.54,45.77.61.195,45.77.62.230,45.77.64.193,45.77.66.39,45.79.106.154,45.79.106.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 374"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522746; rev:3093;)
alert ip [45.79.108.96,45.79.109.55,45.79.138.8,45.79.181.153,45.79.184.114,45.79.189.111,45.79.218.205,45.79.67.237,45.79.76.174,45.79.84.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522748; rev:3093;)
alert ip [45.79.85.112,45.79.88.43,45.79.89.133,45.79.92.94,45.79.95.244,45.79.99.101,46.101.100.94,46.101.101.102,46.101.102.71,46.101.104.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 376"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522750; rev:3093;)
alert ip [46.101.131.100,46.101.141.15,46.101.142.174,46.101.149.105,46.101.151.222,46.101.152.147,46.101.169.151,46.101.170.138,46.101.183.160,46.101.192.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522752; rev:3093;)
alert ip [46.101.216.71,46.101.220.187,46.101.231.44,46.101.37.23,46.101.6.132,46.101.9.51,46.101.98.130,46.105.121.81,46.105.123.162,46.105.185.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 378"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522754; rev:3093;)
alert ip [46.105.227.109,46.105.63.44,46.105.84.178,46.105.95.112,46.124.76.233,46.127.12.33,46.127.20.181,46.127.31.29,46.127.3.164,46.128.114.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 379"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522756; rev:3093;)
alert ip [46.128.251.202,46.128.34.32,46.128.60.60,46.128.6.254,46.142.48.128,46.144.166.250,46.148.18.34,46.148.212.113,46.151.27.101,46.161.146.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 380"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522758; rev:3093;)
alert ip [46.162.192.166,46.163.76.170,46.163.78.14,46.163.81.190,46.164.242.169,46.165.197.96,46.165.221.166,46.165.221.207,46.165.242.166,46.165.250.224] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522760; rev:3093;)
alert ip [46.165.253.180,46.165.254.40,46.166.162.34,46.166.165.118,46.166.165.129,46.166.165.57,46.166.165.87,46.166.167.46,46.167.245.43,46.167.245.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 382"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522762; rev:3093;)
alert ip [46.173.38.149,46.17.42.50,46.17.63.214,46.182.132.129,46.182.142.222,46.182.18.111,46.182.18.223,46.182.18.245,46.182.19.151,46.182.208.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 383"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522764; rev:3093;)
alert ip [46.188.4.37,46.188.44.25,46.19.137.186,46.19.143.139,46.20.246.119,46.20.35.114,46.208.95.155,46.21.144.10,46.21.147.19,46.219.2.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 384"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522766; rev:3093;)
alert ip [46.22.209.99,46.22.212.230,46.227.96.218,46.228.18.237,46.229.238.172,46.23.70.195,46.23.72.81,46.238.12.208,46.23.85.31,46.239.108.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522768; rev:3093;)
alert ip [46.242.3.30,46.244.143.143,46.246.26.104,46.246.39.219,46.246.93.70,46.249.27.184,46.249.37.109,46.249.37.143,46.251.85.30,46.252.26.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522770; rev:3093;)
alert ip [46.28.109.231,46.28.110.219,46.28.110.244,46.28.204.20,46.28.205.187,46.28.205.75,46.28.207.107,46.28.207.69,46.28.64.234,46.28.68.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 387"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522772; rev:3093;)
alert ip [46.28.68.157,46.28.69.53,46.29.248.136,46.36.39.134,46.38.231.209,46.38.233.242,46.38.234.158,46.38.237.221,46.38.241.16,46.38.250.39] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 388"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522774; rev:3093;)
alert ip [46.38.251.194,46.38.48.225,46.38.51.18,46.39.102.250,46.39.183.60,46.39.227.136,46.39.251.87,46.39.253.63,46.4.0.89,46.4.103.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 389"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522776; rev:3093;)
alert ip [46.4.111.124,46.41.132.84,46.4.122.173,46.4.124.165,46.4.125.2,46.4.144.81,46.41.59.223,46.4.174.52,46.4.183.122,46.4.25.214] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522778; rev:3093;)
alert ip [46.4.253.194,46.4.34.242,46.43.50.92,46.4.40.67,46.4.49.201,46.4.57.151,46.4.58.90,46.4.77.210,46.4.78.3,46.4.81.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 391"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522780; rev:3093;)
alert ip [46.5.233.143,46.59.151.24,46.59.156.138,46.59.209.134,46.59.219.11,46.59.220.98,46.59.72.157,46.59.99.37,46.6.100.154,46.6.79.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 392"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522782; rev:3093;)
alert ip [46.6.82.38,46.7.12.146,46.72.216.20,46.7.90.69,46.83.59.214,46.83.63.158,46.84.27.129,46.84.64.91,46.84.66.213,46.87.74.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522784; rev:3093;)
alert ip [46.91.217.213,46.9.195.188,46.93.224.82,46.93.90.218,47.150.71.57,47.151.150.13,47.152.227.184,47.154.80.129,47.184.12.62,47.211.130.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 394"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522786; rev:3093;)
alert ip [47.21.17.46,47.33.13.234,47.34.248.45,47.36.210.167,47.40.229.162,47.52.119.59,47.55.183.10,47.89.178.105,47.89.179.48,47.89.185.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 395"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522788; rev:3093;)
alert ip [47.89.191.36,47.89.22.90,47.90.204.139,47.90.204.154,49.212.166.38,50.0.60.210,50.111.33.100,50.116.10.242,50.116.21.172,50.116.39.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 396"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522790; rev:3093;)
alert ip [50.116.40.6,50.116.47.139,50.116.48.133,50.116.49.46,50.116.5.153,50.116.56.48,50.116.7.64,50.193.143.42,50.193.202.38,50.1.99.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522792; rev:3093;)
alert ip [50.244.200.221,50.31.252.11,50.31.252.43,50.38.36.6,50.53.113.124,50.65.176.4,50.66.85.45,50.7.115.12,50.7.115.67,50.7.116.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 398"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522794; rev:3093;)
alert ip [50.7.151.127,50.7.151.32,50.7.151.47,50.7.176.2,50.7.177.26,50.7.178.146,50.7.178.34,50.7.178.98,50.7.179.202,50.7.179.251] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 399"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522796; rev:3093;)
alert ip [50.7.184.58,50.7.186.38,50.74.108.76,50.76.49.97,50.7.74.171,50.7.74.172,50.89.199.56,5.101.102.82,5.101.103.70,5.10.178.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 400"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522798; rev:3093;)
alert ip [5.104.106.38,5.104.90.29,51.141.6.250,51.15.11.64,51.15.128.190,51.15.129.69,51.15.130.249,51.15.130.76,51.15.131.121,51.15.131.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 401"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522800; rev:3093;)
alert ip [51.15.13.245,51.15.133.16,51.15.135.5,51.15.137.146,51.15.137.183,51.15.138.145,51.15.139.200,51.15.141.181,51.15.142.10,51.15.142.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 402"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522802; rev:3093;)
alert ip [51.15.143.126,51.15.143.178,51.15.143.20,51.15.143.239,51.15.166.221,51.15.171.97,51.15.177.148,51.15.193.126,51.15.3.40,51.15.34.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 403"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522804; rev:3093;)
alert ip [51.15.34.165,51.15.36.164,51.15.36.183,51.15.36.42,51.15.37.171,51.15.37.252,51.15.37.97,51.15.38.13,51.15.38.131,51.15.39.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522806; rev:3093;)
alert ip [51.15.39.65,51.15.40.11,51.15.4.10,51.15.41.61,51.15.42.19,51.15.44.251,51.15.44.54,51.15.4.55,51.15.45.92,51.15.46.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 405"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522808; rev:3093;)
alert ip [51.15.46.240,51.15.46.45,51.15.46.47,51.15.47.17,51.15.47.62,51.15.48.254,51.15.49.157,51.15.49.8,51.15.50.109,51.15.50.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 406"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522810; rev:3093;)
alert ip [51.15.51.7,51.15.52.120,51.15.52.244,51.15.53.199,51.15.53.75,51.15.54.132,51.15.54.182,51.15.55.114,51.15.56.101,51.15.56.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 407"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522812; rev:3093;)
alert ip [51.15.56.123,51.15.56.40,51.15.58.152,51.15.58.212,51.15.59.29,51.15.60.102,51.15.60.93,51.15.61.46,51.15.61.7,51.15.62.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 408"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522814; rev:3093;)
alert ip [51.15.62.52,51.15.65.104,51.15.66.23,51.15.66.75,51.15.67.196,51.15.67.36,51.15.67.77,51.15.68.208,51.15.69.160,51.15.69.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 409"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522816; rev:3093;)
alert ip [51.15.69.92,51.15.71.243,51.15.71.41,51.15.72.156,51.15.72.209,51.15.72.230,51.15.72.253,51.15.73.133,51.15.73.178,51.15.74.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 410"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522818; rev:3093;)
alert ip [51.15.76.141,51.15.76.56,51.15.77.102,51.15.77.244,51.15.77.25,51.15.78.0,51.15.78.99,51.15.8.23,51.15.9.100,5.11.66.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 411"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522820; rev:3093;)
alert ip [51.174.197.117,51.175.193.142,51.175.4.172,51.175.50.162,51.175.64.222,5.12.14.91,51.254.101.176,51.254.101.242,51.254.115.225,51.254.120.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 412"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522822; rev:3093;)
alert ip [51.254.124.210,51.254.131.226,51.254.135.213,51.254.136.195,51.254.164.50,51.254.202.160,51.254.209.197,51.254.218.247,51.254.220.21,51.254.221.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 413"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522824; rev:3093;)
alert ip [51.254.35.151,51.254.38.249,51.254.45.43,51.255.113.29,51.255.168.229,51.255.169.10,51.255.175.53,51.255.198.77,51.255.203.235,51.255.206.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 414"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522826; rev:3093;)
alert ip [51.255.211.235,51.255.39.110,51.255.40.231,51.255.41.65,51.255.41.91,51.255.44.183,51.255.48.78,51.255.50.238,51.255.50.60,51.255.75.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 415"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522828; rev:3093;)
alert ip [51.255.95.102,5.13.235.160,5.135.115.34,5.135.145.195,5.135.152.143,5.135.152.66,5.135.155.121,5.135.159.128,5.135.162.217,5.135.162.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 416"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522830; rev:3093;)
alert ip [5.135.163.78,5.135.176.38,5.135.178.184,5.135.181.213,5.135.182.130,5.135.184.24,5.135.185.145,5.135.186.73,5.135.188.128,5.135.191.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 417"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522832; rev:3093;)
alert ip [5.135.199.13,5.135.234.164,5.135.43.38,5.135.65.145,5.141.9.164,5.141.95.84,5.145.46.166,5.146.129.127,5.147.113.133,5.147.125.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 418"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522834; rev:3093;)
alert ip [5.147.152.177,5.147.172.122,5.147.248.158,5.148.175.35,5.148.180.48,5.150.221.137,5.150.233.239,5.15.205.85,51.52.35.169,5.158.176.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 419"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522836; rev:3093;)
alert ip [5.164.247.4,5.165.33.31,5.167.155.131,5.172.146.219,5.186.143.227,5.187.48.62,5.187.49.158,5.189.132.79,5.189.138.9,5.189.139.38] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 420"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522838; rev:3093;)
alert ip [5.189.140.21,5.189.142.118,5.189.143.28,5.189.150.139,5.189.153.185,5.189.159.21,5.189.164.230,5.189.169.190,5.189.181.61,5.189.183.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 421"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:3093;)
alert ip [5.19.162.103,5.19.184.37,5.19.204.140,51.9.208.170,5.196.20.5,5.196.20.85,5.196.222.56,5.196.23.64,5.196.239.114,5.196.26.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 422"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:3093;)
alert ip [5.196.29.217,5.196.58.96,5.196.71.24,5.196.72.233,5.196.88.122,5.199.133.193,5.199.142.112,5.199.142.236,5.199.167.207,5.200.23.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 423"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:3093;)
alert ip [5.206.225.118,52.10.125.140,52.165.217.243,52.169.10.90,52.173.146.98,52.183.47.155,52.208.34.152,52.209.187.176,52.210.94.70,52.214.216.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 424"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:3093;)
alert ip [52.215.92.62,52.242.26.186,52.27.7.31,5.228.12.221,5.230.145.65,52.35.11.2,52.36.85.58,52.39.6.26,52.42.94.200,52.48.130.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 425"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:3093;)
alert ip [5.249.145.164,5.249.149.153,5.249.159.198,5.249.159.209,52.51.121.89,5.2.54.152,5.255.61.130,5.255.82.75,5.255.86.131,5.255.90.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 426"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522850; rev:3093;)
alert ip [52.56.124.204,52.59.252.78,52.60.215.15,52.63.134.148,52.66.117.126,52.66.79.102,52.6.9.146,5.2.70.162,5.2.73.217,5.2.74.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 427"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522852; rev:3093;)
alert ip [5.2.75.42,5.28.106.163,52.90.84.21,5.29.115.159,52.91.227.251,5.34.180.231,5.34.183.205,5.39.218.131,5.39.33.176,5.39.33.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 428"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522854; rev:3093;)
alert ip [5.39.64.7,5.39.77.208,5.39.80.135,5.39.80.28,5.39.81.102,5.39.82.192,5.39.83.217,5.39.83.27,5.39.86.206,5.39.89.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 429"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522856; rev:3093;)
alert ip [5.39.91.86,5.39.92.199,5.39.94.169,5.39.95.142,54.153.249.26,54.179.98.204,54.187.239.16,54.201.201.93,54.202.82.18,54.218.172.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 430"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522858; rev:3093;)
alert ip [54.233.155.67,54.241.9.145,54.244.208.214,54.245.9.252,54.36.38.63,5.44.101.190,5.45.100.22,5.45.107.56,5.45.108.48,5.45.109.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 431"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522860; rev:3093;)
alert ip [5.45.111.145,5.45.97.127,54.71.227.111,54.86.232.140,54.88.165.229,54.92.68.99,54.94.154.154,54.94.85.201,5.51.106.108,5.51.204.241] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 432"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522862; rev:3093;)
alert ip [5.57.243.84,5.61.239.34,5.61.34.63,5.79.74.220,5.79.75.37,5.79.86.15,58.176.161.172,5.8.54.12,5.8.54.27,58.93.43.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 433"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522864; rev:3093;)
alert ip [58.96.66.25,5.9.102.198,5.9.110.236,5.9.112.137,5.9.121.207,5.9.121.79,5.9.121.87,5.9.122.110,5.9.129.218,5.9.140.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 434"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522866; rev:3093;)
alert ip [5.9.142.76,5.9.147.226,5.9.149.100,5.9.149.55,5.9.149.70,5.9.150.40,5.9.153.114,5.9.156.17,5.9.171.38,5.9.181.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 435"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522868; rev:3093;)
alert ip [5.9.188.182,5.9.191.52,5.9.212.204,5.9.239.228,5.9.253.234,5.9.25.79,5.9.39.113,5.9.40.121,5.9.43.3,5.9.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 436"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522870; rev:3093;)
alert ip [5.9.56.12,5.9.58.137,5.9.61.207,5.9.62.17,5.9.7.130,5.9.79.142,5.9.79.154,5.9.81.41,5.9.83.204,5.9.88.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 437"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522872; rev:3093;)
alert ip [5.9.98.43,60.112.213.201,60.225.57.95,60.234.102.113,60.48.251.22,61.68.248.113,61.68.41.40,61.68.46.18,62.102.148.172,62.103.152.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 438"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522874; rev:3093;)
alert ip [62.103.152.219,62.103.152.227,62.103.152.228,62.108.196.73,62.109.20.48,62.109.4.115,62.113.216.173,62.113.216.177,62.113.227.124,62.113.241.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 439"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522876; rev:3093;)
alert ip [62.113.241.207,62.113.254.114,62.12.115.107,62.138.10.60,62.138.10.61,62.138.10.62,62.138.7.171,62.138.7.231,62.141.36.150,62.141.48.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 440"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522878; rev:3093;)
alert ip [62.141.51.90,62.141.52.185,62.141.54.86,62.143.28.23,62.149.2.188,62.152.43.203,62.157.77.139,62.167.72.32,62.168.3.212,62.173.154.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 441"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522880; rev:3093;)
alert ip [62.176.239.229,62.180.109.11,62.194.12.77,62.194.76.2,62.197.207.182,62.199.169.123,62.210.105.47,62.210.107.86,62.210.109.48,62.210.123.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 442"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522882; rev:3093;)
alert ip [62.210.125.130,62.210.132.56,62.210.137.230,62.210.138.3,62.210.170.143,62.210.180.21,62.210.190.5,62.210.203.90,62.210.206.159,62.210.206.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 443"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522884; rev:3093;)
alert ip [62.210.206.53,62.210.213.17,62.210.217.207,62.210.244.146,62.210.24.46,62.210.247.178,62.210.254.132,62.210.36.16,62.210.36.46,62.210.69.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 444"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522886; rev:3093;)
alert ip [62.210.69.236,62.210.74.110,62.210.75.84,62.210.76.88,62.210.82.244,62.210.84.34,62.210.90.164,62.210.90.75,62.210.92.11,62.210.93.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 445"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522888; rev:3093;)
alert ip [62.212.72.243,62.213.214.207,62.214.6.61,62.216.5.120,62.216.54.29,62.217.124.253,62.219.182.42,62.219.46.133,62.220.148.87,62.220.148.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 446"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522890; rev:3093;)
alert ip [62.224.109.251,62.224.67.233,62.235.105.147,62.242.177.175,62.245.57.78,62.249.170.186,62.251.50.232,62.251.89.74,62.37.150.20,62.4.15.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522892; rev:3093;)
alert ip [62.6.132.155,62.64.191.92,62.65.107.36,62.68.14.206,62.72.82.222,62.75.147.82,62.75.203.76,62.75.255.37,62.78.245.129,64.137.144.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 448"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522894; rev:3093;)
alert ip [64.137.162.93,64.137.163.132,64.137.166.21,64.137.181.8,64.137.191.74,64.137.193.88,64.137.193.91,64.137.193.92,64.137.195.214,64.137.203.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 449"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522896; rev:3093;)
alert ip [64.137.212.51,64.137.220.124,64.137.227.206,64.137.230.59,64.137.240.201,64.137.242.125,64.137.243.27,64.137.243.67,64.137.247.191,64.137.249.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 450"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522898; rev:3093;)
alert ip [64.178.138.94,64.228.188.98,64.237.51.46,64.33.179.214,64.91.6.244,64.94.238.142,65.102.134.108,65.183.146.221,65.183.218.89,65.19.167.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 451"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522900; rev:3093;)
alert ip [65.19.167.134,65.19.178.177,65.19.178.241,65.24.56.15,65.50.203.5,65.94.17.75,66.111.2.20,66.111.2.34,66.111.62.85,66.148.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522902; rev:3093;)
alert ip [66.170.11.203,66.172.12.174,66.175.217.78,66.175.221.24,66.175.223.145,66.186.230.154,66.191.220.212,66.215.142.69,66.228.39.82,66.228.39.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 453"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522904; rev:3093;)
alert ip [66.228.51.186,66.234.218.247,66.235.24.122,66.240.174.9,66.242.92.203,66.246.75.167,66.24.84.54,66.55.215.216,66.55.64.181,66.55.67.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522906; rev:3093;)
alert ip [66.70.211.20,66.90.101.117,67.10.7.28,67.160.203.232,67.162.129.215,67.162.205.205,67.165.240.50,67.170.176.90,67.180.116.128,67.186.115.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 455"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522908; rev:3093;)
alert ip [67.188.115.214,67.205.128.47,67.205.130.27,67.205.137.40,67.207.83.202,67.22.162.61,67.227.198.183,67.227.240.79,67.241.73.26,67.249.138.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 456"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522910; rev:3093;)
alert ip [67.254.247.220,67.2.57.141,67.43.0.209,68.102.158.81,68.104.222.58,68.105.130.111,68.112.152.187,68.118.104.181,68.129.4.212,68.148.246.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 457"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522912; rev:3093;)
alert ip [68.151.164.43,68.168.108.152,68.172.40.110,68.174.152.193,68.196.189.216,68.201.5.172,68.203.1.218,68.203.91.245,68.206.20.134,68.2.206.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 458"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522914; rev:3093;)
alert ip [68.224.246.169,68.224.252.210,68.230.137.166,68.231.202.157,68.42.193.252,68.61.169.59,68.69.166.68,68.8.163.148,68.82.19.43,68.83.2.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 459"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522916; rev:3093;)
alert ip [69.115.102.229,69.115.145.16,69.11.9.116,69.136.179.201,69.138.251.81,69.143.186.130,69.156.146.183,69.16.137.20,69.162.107.5,69.163.35.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 460"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522918; rev:3093;)
alert ip [69.164.195.92,69.164.198.32,69.164.210.140,69.164.210.142,69.164.211.18,69.164.212.180,69.164.214.250,69.164.216.230,69.164.216.82,69.164.221.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 461"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522920; rev:3093;)
alert ip [69.164.221.65,69.164.221.78,69.172.169.175,69.174.176.16,69.181.73.164,69.193.72.100,69.202.208.57,69.251.207.212,69.28.82.48,69.30.215.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 462"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522922; rev:3093;)
alert ip [69.30.218.186,69.61.35.184,69.62.162.178,69.64.46.27,69.84.70.38,69.85.115.246,69.85.92.224,69.90.132.10,69.90.132.11,69.90.132.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 463"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522924; rev:3093;)
alert ip [69.90.151.229,69.93.127.57,69.93.99.14,70.115.155.92,70.119.125.160,70.124.157.109,70.160.231.36,70.164.197.204,70.173.177.224,70.187.153.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 464"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522926; rev:3093;)
alert ip [70.38.31.121,70.59.88.17,70.63.170.86,70.67.185.41,70.78.109.149,70.79.195.48,70.92.77.22,70.95.78.84,71.10.114.10,71.125.33.223] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 465"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522928; rev:3093;)
alert ip [71.14.188.3,71.161.106.188,71.165.151.35,71.172.62.72,71.19.144.184,71.19.149.21,71.19.154.138,71.19.155.187,71.19.157.127,71.19.157.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 466"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522930; rev:3093;)
alert ip [71.191.89.250,71.202.232.139,71.202.61.123,71.204.171.134,71.204.188.148,71.238.214.21,71.245.80.14,71.248.178.98,71.39.169.105,71.54.138.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522932; rev:3093;)
alert ip [71.57.153.248,71.82.236.51,71.8.59.240,71.86.238.225,72.11.61.169,72.11.62.32,72.12.96.84,72.14.177.164,72.14.183.14,72.14.190.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 468"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522934; rev:3093;)
alert ip [72.174.129.181,72.174.70.108,72.179.146.98,72.197.6.110,72.234.155.136,72.238.131.236,72.38.1.135,72.42.158.117,72.46.49.24,72.5.72.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 469"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522936; rev:3093;)
alert ip [72.66.111.33,72.69.168.215,72.83.36.237,73.110.152.214,73.146.11.203,73.153.100.155,73.158.169.40,73.160.247.47,73.168.232.114,73.170.141.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522938; rev:3093;)
alert ip [73.170.159.10,73.176.222.34,73.193.242.57,73.197.11.4,73.201.115.116,73.201.16.196,73.202.4.42,73.225.68.25,73.233.243.74,73.24.36.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 471"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522940; rev:3093;)
alert ip [73.245.139.113,73.246.41.113,73.25.143.5,73.252.227.171,73.254.86.153,73.40.36.170,73.43.58.31,73.45.37.75,73.58.226.233,73.89.148.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 472"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522942; rev:3093;)
alert ip [73.89.87.77,74.103.247.168,74.115.25.12,74.116.186.120,74.121.182.206,74.139.147.78,74.140.170.197,74.207.231.186,74.207.236.197,74.207.237.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 473"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522944; rev:3093;)
alert ip [74.207.242.7,74.208.220.222,74.208.234.191,74.208.247.181,74.208.78.130,74.221.46.242,74.222.20.106,74.57.235.186,74.71.234.81,74.86.24.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 474"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522946; rev:3093;)
alert ip [74.88.96.7,74.91.21.2,75.119.251.14,75.127.15.73,75.127.96.101,75.134.154.177,75.135.123.77,75.144.22.203,75.155.22.50,75.161.120.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 475"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522948; rev:3093;)
alert ip [75.166.226.179,75.169.5.197,75.176.45.87,75.182.207.22,75.182.90.20,75.87.191.70,76.10.157.58,76.102.13.241,76.105.231.45,76.118.18.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 476"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522950; rev:3093;)
alert ip [76.119.135.44,76.12.219.104,76.126.253.76,76.127.209.65,76.14.112.233,76.167.215.227,76.182.208.232,76.19.132.163,76.217.12.234,76.244.38.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522952; rev:3093;)
alert ip [76.244.39.154,76.251.164.153,76.255.206.36,76.26.203.243,76.73.234.173,76.85.96.65,76.98.28.62,77.102.174.224,77.102.66.183,77.120.122.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 478"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522954; rev:3093;)
alert ip [77.120.122.131,77.120.94.233,77.129.60.166,77.139.132.109,77.140.150.239,77.140.201.83,77.140.93.127,77.148.42.134,77.161.34.157,77.166.206.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 479"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522956; rev:3093;)
alert ip [77.170.230.163,77.174.168.42,77.177.30.182,77.178.71.4,77.179.213.231,77.180.116.249,77.180.119.47,77.180.40.15,77.181.119.74,77.185.251.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 480"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522958; rev:3093;)
alert ip [77.187.165.8,77.198.99.139,77.20.129.236,77.203.13.57,77.21.150.101,77.21.35.84,77.2.186.111,77.23.37.2,77.23.56.30,77.238.69.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 481"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522960; rev:3093;)
alert ip [77.243.191.50,77.244.37.157,77.246.163.142,77.246.193.59,77.248.157.83,77.250.55.228,77.251.239.123,77.27.140.228,77.37.142.179,77.37.160.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 482"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522962; rev:3093;)
alert ip [77.37.162.132,77.37.218.145,77.43.219.246,77.47.119.55,77.47.40.159,77.47.47.126,77.48.73.246,77.56.224.131,77.57.114.44,77.57.126.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 483"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522964; rev:3093;)
alert ip [77.64.230.73,77.66.12.185,77.68.11.42,77.68.42.132,77.70.5.60,77.70.63.220,77.72.150.150,77.73.64.51,77.73.67.139,77.74.96.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 484"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522966; rev:3093;)
alert ip [77.75.166.43,77.78.163.128,77.7.96.234,77.81.104.124,77.87.49.6,77.87.50.6,77.94.116.249,78.107.239.213,78.108.77.86,78.109.23.1] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522968; rev:3093;)
alert ip [78.118.163.95,78.120.51.57,78.124.107.98,78.130.128.106,78.130.195.135,78.13.71.147,78.142.140.242,78.142.145.141,78.142.19.11,78.142.19.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 486"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522970; rev:3093;)
alert ip [78.142.19.226,78.156.110.135,78.156.114.237,78.156.117.236,78.192.124.148,78.192.89.9,78.193.140.4,78.193.218.97,78.193.40.205,78.193.40.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 487"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522972; rev:3093;)
alert ip [78.194.220.54,78.194.2.61,78.194.37.29,78.200.39.175,78.213.146.86,78.215.220.29,78.219.4.95,78.24.75.53,78.247.96.188,78.27.109.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 488"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522974; rev:3093;)
alert ip [78.34.249.163,78.34.65.120,78.35.204.169,78.35.56.203,78.36.44.54,78.43.30.83,78.43.32.13,78.43.34.2,78.46.112.219,78.46.127.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 489"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522976; rev:3093;)
alert ip [78.46.139.153,78.46.139.182,78.46.141.74,78.46.145.58,78.46.151.11,78.46.162.123,78.46.185.124,78.46.189.152,78.46.193.41,78.46.203.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 490"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522978; rev:3093;)
alert ip [78.46.209.112,78.46.220.130,78.46.221.48,78.46.223.134,78.46.233.214,78.46.239.183,78.46.247.36,78.46.249.71,78.46.253.198,78.46.37.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 491"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522980; rev:3093;)
alert ip [78.46.37.26,78.46.38.250,78.46.44.222,78.46.45.242,78.46.51.124,78.46.53.11,78.46.60.30,78.46.64.245,78.46.82.123,78.46.90.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 492"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522982; rev:3093;)
alert ip [78.46.95.20,78.46.99.169,78.47.117.28,78.47.134.195,78.47.134.196,78.47.142.211,78.47.158.122,78.47.162.163,78.47.167.67,78.47.174.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 493"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522984; rev:3093;)
alert ip [78.47.176.74,78.47.18.110,78.47.221.71,78.47.224.202,78.47.224.219,78.47.229.107,78.47.239.80,78.47.35.35,78.47.61.129,78.47.61.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 494"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522986; rev:3093;)
alert ip [78.47.70.123,78.47.9.21,78.47.98.200,78.49.109.5,78.49.115.119,78.49.9.91,78.50.161.130,78.51.79.138,78.52.105.103,78.53.55.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 495"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522988; rev:3093;)
alert ip [78.55.15.45,78.55.194.217,78.55.80.168,78.56.124.16,78.56.40.22,78.84.251.67,78.90.15.229,78.90.227.228,78.94.141.202,78.94.186.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 496"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522990; rev:3093;)
alert ip [78.94.74.236,78.94.92.170,79.111.0.58,79.111.23.100,79.120.10.98,79.120.41.147,79.120.85.102,79.124.58.78,79.124.60.246,79.124.7.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 497"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522992; rev:3093;)
alert ip [79.132.85.150,79.133.210.11,79.136.153.114,79.136.39.109,79.136.43.29,79.136.70.125,79.136.70.93,79.137.106.154,79.137.112.4,79.137.112.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 498"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522994; rev:3093;)
alert ip [79.137.116.43,79.137.33.131,79.137.33.24,79.137.35.149,79.137.39.39,79.137.70.81,79.140.41.117,79.140.41.118,79.140.41.13,79.143.178.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 499"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522996; rev:3093;)
alert ip [79.143.183.44,79.143.186.17,79.143.191.22,79.161.248.2,79.172.18.18,79.172.193.32,79.172.204.36,79.172.28.205,79.194.172.217,79.194.87.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 500"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522998; rev:3093;)
alert ip [79.194.94.47,79.195.91.6,79.196.254.35,79.205.62.110,79.208.139.197,79.210.105.152,79.211.250.142,79.215.237.119,79.217.46.88,79.217.94.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523000; rev:3093;)
alert ip [79.218.71.143,79.219.217.191,79.225.88.54,79.226.48.28,79.227.188.114,79.231.218.192,79.232.209.58,79.232.88.62,79.233.223.52,79.234.191.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 502"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523002; rev:3093;)
alert ip [79.237.12.160,79.240.236.253,79.243.104.218,79.247.169.250,79.250.140.151,79.251.253.10,79.252.118.111,79.252.207.114,79.253.74.57,79.30.186.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 503"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523004; rev:3093;)
alert ip [79.98.104.68,79.98.105.18,79.98.108.57,79.98.220.119,80.100.206.150,80.100.250.244,80.100.44.12,80.108.195.250,80.109.112.130,80.109.127.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 504"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523006; rev:3093;)
alert ip [80.119.137.65,80.127.107.154,80.127.107.179,80.127.117.180,80.127.118.93,80.127.137.14,80.127.137.19,80.127.151.162,80.127.152.4,80.128.158.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 505"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523008; rev:3093;)
alert ip [80.12.94.184,80.130.35.112,80.131.139.4,80.131.250.156,80.132.187.84,80.135.188.23,80.137.64.222,80.140.45.226,80.143.170.167,80.144.48.145] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 506"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523010; rev:3093;)
alert ip [80.147.33.157,80.169.241.76,80.186.207.144,80.195.23.109,80.203.137.23,80.209.253.48,80.218.186.191,80.218.245.212,80.218.37.232,80.219.119.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523012; rev:3093;)
alert ip [80.219.136.45,80.220.89.55,80.223.174.207,80.229.140.239,80.229.152.228,80.232.242.31,80.233.134.147,80.233.134.149,80.237.231.134,80.238.105.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 508"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523014; rev:3093;)
alert ip [80.240.216.253,80.241.213.87,80.241.220.57,80.241.222.169,80.243.104.182,80.244.241.254,80.244.243.158,80.248.208.131,80.252.24.116,80.255.0.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 509"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523016; rev:3093;)
alert ip [80.255.6.11,80.255.6.92,80.56.77.242,80.60.245.234,80.64.65.25,80.66.135.123,80.68.92.249,80.71.133.119,80.73.242.142,80.7.54.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 510"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523018; rev:3093;)
alert ip [80.81.12.29,80.81.17.31,80.81.243.27,80.85.84.222,80.85.84.72,80.90.250.69,80.99.48.193,81.0.226.3,81.102.219.11,81.103.36.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 511"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523020; rev:3093;)
alert ip [81.105.101.129,81.108.197.189,81.132.255.225,81.141.6.226,81.143.236.158,81.165.85.244,81.166.86.51,81.169.130.214,81.169.136.206,81.169.138.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 512"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523022; rev:3093;)
alert ip [81.169.141.222,81.169.152.100,81.169.166.74,81.169.175.164,81.169.211.90,81.169.222.158,81.169.243.74,81.169.246.204,81.169.248.93,81.170.148.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 513"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523024; rev:3093;)
alert ip [81.170.217.242,81.171.19.175,81.17.16.43,81.17.17.130,81.17.17.131,81.17.30.33,81.17.30.44,81.17.30.48,81.174.151.215,81.174.156.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 514"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523026; rev:3093;)
alert ip [81.174.231.18,81.177.22.73,81.182.31.72,81.189.17.180,81.19.3.71,81.193.75.91,81.197.116.202,81.200.59.162,81.218.109.195,81.218.138.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 515"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523028; rev:3093;)
alert ip [81.218.91.154,81.2.197.33,81.2.209.10,81.221.144.163,81.22.255.146,81.2.237.218,81.225.209.79,81.2.254.143,81.227.128.7,81.228.192.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 516"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523030; rev:3093;)
alert ip [81.228.199.75,81.230.166.145,81.233.10.199,81.236.177.247,81.241.121.149,81.245.124.251,81.249.244.44,81.25.54.131,81.30.158.213,81.30.158.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 517"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523032; rev:3093;)
alert ip [81.35.215.194,81.4.109.47,81.4.121.48,81.43.149.140,81.56.192.231,81.56.96.154,81.57.208.135,81.67.45.173,81.7.10.193,81.7.10.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 518"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523034; rev:3093;)
alert ip [81.7.10.29,81.7.10.93,81.7.11.142,81.7.11.154,81.7.11.186,81.7.11.22,81.7.11.253,81.7.11.33,81.7.11.38,81.7.11.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 519"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523036; rev:3093;)
alert ip [81.7.11.96,81.7.13.248,81.7.13.84,81.7.14.253,81.7.14.31,81.7.16.139,81.7.16.177,81.7.16.18,81.7.16.182,81.7.16.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 520"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523038; rev:3093;)
alert ip [81.7.18.84,81.7.19.110,81.7.3.67,81.82.204.148,81.89.63.150,81.95.13.55,81.95.52.68,81.97.143.247,82.102.142.210,82.103.140.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 521"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523040; rev:3093;)
alert ip [82.116.120.3,82.118.17.122,82.118.17.137,82.118.17.235,82.118.242.124,82.118.242.126,82.118.242.128,82.118.242.147,82.118.242.173,82.119.233.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 522"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523042; rev:3093;)
alert ip [82.130.11.148,82.131.107.121,82.131.107.240,82.135.88.37,82.141.39.114,82.146.47.17,82.161.182.20,82.161.210.87,82.161.212.209,82.161.214.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 523"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523044; rev:3093;)
alert ip [82.161.50.30,82.165.142.79,82.165.148.163,82.169.80.71,82.181.116.199,82.181.238.144,82.192.250.215,82.192.80.194,82.194.170.30,82.196.11.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 524"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523046; rev:3093;)
alert ip [82.196.14.142,82.196.3.85,82.196.6.199,82.196.7.26,82.196.96.127,82.199.155.89,82.202.193.92,82.202.193.94,82.209.179.225,82.209.68.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523048; rev:3093;)
alert ip [82.211.0.180,82.211.0.185,82.211.31.247,82.211.34.97,82.211.60.207,82.211.61.199,82.21.211.29,82.212.221.34,82.213.211.186,82.217.214.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 526"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523050; rev:3093;)
alert ip [82.217.245.7,82.219.9.89,82.221.100.29,82.221.104.108,82.221.105.198,82.221.111.151,82.221.111.187,82.221.128.20,82.221.131.59,82.221.131.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 527"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523052; rev:3093;)
alert ip [82.221.139.190,82.223.21.74,82.223.36.196,82.226.140.119,82.227.48.17,82.228.252.20,82.229.138.31,82.229.182.19,82.229.26.235,82.243.133.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 528"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523054; rev:3093;)
alert ip [82.247.103.117,82.247.250.162,82.251.17.70,82.251.33.136,82.27.118.130,82.27.255.3,82.28.190.60,82.38.188.37,82.39.122.197,82.41.10.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 529"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523056; rev:3093;)
alert ip [82.44.203.124,82.44.211.228,82.50.191.96,82.5.42.105,82.64.7.146,82.64.9.116,82.66.140.131,8.26.94.18,82.69.76.35,82.71.246.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 530"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523058; rev:3093;)
alert ip [82.71.25.129,82.71.7.191,82.80.33.99,82.80.54.64,82.94.132.34,82.94.204.170,82.94.226.146,82.94.251.227,82.95.100.241,82.95.107.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 531"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523060; rev:3093;)
alert ip [82.95.66.203,83.128.173.61,83.134.110.38,83.134.30.70,83.135.106.5,83.135.108.192,83.135.65.74,83.135.66.172,83.143.245.86,83.144.105.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 532"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523062; rev:3093;)
alert ip [83.145.241.231,83.146.231.159,83.149.125.193,83.149.126.139,83.149.20.38,83.149.70.130,83.150.29.178,83.150.59.185,83.150.82.122,83.157.96.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523064; rev:3093;)
alert ip [83.160.139.183,83.161.249.125,83.162.178.67,83.162.188.100,83.162.199.60,83.162.202.182,83.162.47.26,83.163.201.168,83.163.77.195,83.171.176.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523066; rev:3093;)
alert ip [83.173.198.226,83.175.100.130,83.194.3.100,83.202.164.197,83.212.100.100,83.212.101.60,83.212.102.114,83.212.102.18,83.212.104.124,83.212.105.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 535"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523068; rev:3093;)
alert ip [83.212.168.186,83.212.96.120,83.212.96.170,83.212.96.206,83.220.174.128,83.222.144.185,83.226.202.54,83.227.113.24,83.227.84.31,83.227.85.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 536"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523070; rev:3093;)
alert ip [83.228.93.76,83.233.213.202,83.233.76.111,83.234.1.41,83.240.14.219,83.248.84.123,83.249.111.190,83.250.10.13,83.251.198.255,83.252.97.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 537"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523072; rev:3093;)
alert ip [83.253.136.88,83.254.19.5,83.254.93.78,83.33.79.205,83.37.107.244,83.37.125.244,83.40.159.127,83.55.10.34,83.60.126.121,8.37.14.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 538"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523074; rev:3093;)
alert ip [83.76.91.146,83.85.252.55,83.86.120.4,83.87.163.195,83.97.85.145,84.10.12.74,84.106.234.152,84.107.116.107,84.112.147.73,84.112.41.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 539"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523076; rev:3093;)
alert ip [84.114.3.54,84.114.57.193,84.115.197.133,84.115.25.42,84.118.164.156,84.128.105.189,84.130.124.138,84.132.221.14,84.133.3.94,84.133.79.167] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 540"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523078; rev:3093;)
alert ip [84.142.199.143,84.147.44.33,84.154.219.13,84.156.27.127,84.157.130.216,84.157.50.116,84.158.221.123,84.159.89.43,84.160.71.137,84.16.241.89] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 541"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523080; rev:3093;)
alert ip [84.164.218.243,84.168.200.152,84.170.120.107,84.17.21.50,84.173.201.133,84.176.97.168,84.179.218.191,84.180.110.191,84.180.215.81,84.182.191.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 542"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523082; rev:3093;)
alert ip [84.182.57.238,84.187.131.93,84.190.34.220,84.191.36.51,84.19.178.155,84.19.178.79,84.19.179.106,84.19.179.229,84.195.229.182,84.198.103.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 543"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523084; rev:3093;)
alert ip [84.200.106.6,84.200.206.99,84.200.77.243,84.200.8.207,84.200.8.33,84.208.170.253,84.209.131.13,84.211.49.30,84.216.252.200,84.219.130.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 544"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523086; rev:3093;)
alert ip [84.226.125.7,84.2.34.74,84.236.38.14,84.240.60.234,84.241.65.20,84.244.31.52,84.245.15.253,84.245.25.64,84.245.27.209,84.245.30.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 545"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523088; rev:3093;)
alert ip [84.248.100.7,84.248.120.6,84.248.223.126,84.249.11.195,84.250.184.214,84.250.227.192,84.250.229.213,84.250.39.220,8.42.76.105,84.27.95.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 546"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523090; rev:3093;)
alert ip [84.31.70.198,84.38.134.12,84.38.68.90,84.40.112.70,84.44.179.22,84.44.199.57,84.45.76.10,84.45.76.11,84.45.76.12,84.45.76.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 547"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523092; rev:3093;)
alert ip [84.46.45.105,84.46.47.170,84.47.78.125,84.50.177.101,84.52.225.99,84.53.247.169,84.55.82.94,84.57.132.42,84.63.193.31,84.63.245.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 548"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523094; rev:3093;)
alert ip [84.73.20.157,84.73.220.65,84.74.101.248,84.74.253.127,84.74.80.210,84.75.179.223,84.75.94.209,84.80.80.69,84.81.140.11,84.92.97.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 549"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523096; rev:3093;)
alert ip [84.9.49.106,85.10.113.36,85.10.196.12,85.10.198.236,85.10.201.47,85.10.203.71,85.10.240.250,85.113.226.98,85.113.39.154,85.114.133.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523098; rev:3093;)
alert ip [85.119.82.151,85.119.83.141,85.1.32.115,85.140.184.38,85.14.244.114,85.14.245.175,85.14.249.247,85.144.52.175,85.152.229.51,85.159.211.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 551"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523100; rev:3093;)
alert ip [85.159.237.210,85.164.238.48,85.169.111.217,85.17.112.163,85.17.112.32,85.171.173.161,85.17.164.165,85.17.164.172,85.17.194.180,85.17.214.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 552"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523102; rev:3093;)
alert ip [85.176.222.176,85.179.90.198,85.180.41.212,85.180.89.64,85.181.54.110,85.183.102.49,85.184.160.128,85.195.207.92,85.195.215.194,85.195.235.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 553"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523104; rev:3093;)
alert ip [85.195.237.134,85.195.237.40,85.195.252.93,85.195.255.205,85.195.82.76,85.197.31.100,85.204.121.218,85.21.144.224,85.21.144.33,85.212.37.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 554"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523106; rev:3093;)
alert ip [85.212.60.178,85.212.60.3,85.212.8.191,85.214.101.233,85.214.115.214,85.214.124.168,85.214.128.199,85.214.136.179,85.214.144.127,85.214.144.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 555"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523108; rev:3093;)
alert ip [85.214.20.43,85.214.206.219,85.214.212.153,85.214.222.152,85.214.236.207,85.214.44.172,85.214.54.254,85.214.56.180,85.214.58.236,85.214.62.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 556"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523110; rev:3093;)
alert ip [85.214.62.94,85.214.69.75,85.214.74.47,85.216.128.76,85.218.19.154,85.218.82.169,85.220.190.246,85.220.42.195,85.222.0.229,85.227.129.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 557"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523112; rev:3093;)
alert ip [85.229.228.174,85.229.37.150,85.229.84.141,85.230.184.93,85.230.21.88,85.23.194.151,85.23.194.153,85.235.225.239,85.235.250.88,85.237.43.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 558"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523114; rev:3093;)
alert ip [85.24.183.236,85.24.188.22,85.244.122.69,85.246.242.197,85.25.111.77,85.25.13.222,85.25.132.5,85.25.133.34,85.25.150.216,85.25.159.253] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 559"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523116; rev:3093;)
alert ip [85.25.159.65,85.25.210.223,85.25.213.211,85.25.248.108,85.25.44.141,85.255.1.158,85.31.186.253,85.5.164.201,85.52.147.46,85.90.247.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 560"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523118; rev:3093;)
alert ip [85.93.16.47,85.93.17.143,85.93.217.20,86.103.181.196,86.103.207.103,86.104.15.15,86.105.212.130,86.105.212.204,86.106.137.6,86.107.110.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 561"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523120; rev:3093;)
alert ip [86.107.110.254,86.107.110.34,86.107.110.51,86.107.110.82,86.110.117.166,86.115.45.141,86.123.52.188,86.124.38.162,86.142.149.240,86.143.8.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 562"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523122; rev:3093;)
alert ip [86.150.235.216,86.164.122.208,86.171.122.38,86.17.252.138,86.174.156.27,86.179.31.216,86.181.198.165,86.19.102.206,86.194.79.171,86.201.56.209] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 563"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523124; rev:3093;)
alert ip [86.215.161.214,86.23.4.224,86.237.8.54,86.239.246.46,86.248.190.6,86.25.228.206,86.253.207.211,86.29.208.115,86.31.40.147,86.3.172.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 564"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523126; rev:3093;)
alert ip [86.56.172.235,86.59.119.83,86.59.119.88,86.59.21.163,86.59.21.38,86.7.140.31,86.73.143.244,86.83.122.203,86.86.173.62,86.87.106.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 565"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523128; rev:3093;)
alert ip [86.88.32.199,87.100.131.62,87.102.15.216,87.102.172.100,87.106.140.24,87.106.14.159,87.106.145.238,87.106.208.236,87.106.249.118,87.106.59.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 566"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523130; rev:3093;)
alert ip [87.118.110.113,87.118.111.27,87.118.112.136,87.118.112.63,87.118.114.134,87.118.116.227,87.118.122.120,87.118.122.201,87.118.126.206,87.118.126.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 567"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523132; rev:3093;)
alert ip [87.118.89.28,87.118.94.2,87.120.254.161,87.120.254.204,87.121.98.208,87.121.98.43,87.122.110.161,87.122.110.190,87.122.96.132,87.123.149.181] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 568"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523134; rev:3093;)
alert ip [87.123.35.186,87.128.103.242,87.128.111.190,87.139.33.217,87.140.70.14,87.140.80.53,87.146.194.183,87.148.147.123,87.149.117.13,87.150.13.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 569"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523136; rev:3093;)
alert ip [87.151.25.84,87.15.243.146,87.153.102.225,87.157.177.171,87.157.183.223,87.159.56.141,87.163.50.7,87.169.255.104,87.170.157.10,87.172.1.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 570"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523138; rev:3093;)
alert ip [87.17.221.66,87.173.60.125,87.174.237.66,87.176.52.57,87.176.54.116,87.177.140.98,87.177.171.142,87.180.36.240,87.181.87.166,87.182.204.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 571"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523140; rev:3093;)
alert ip [87.183.239.19,87.184.200.45,87.185.40.120,87.186.43.179,87.187.212.74,87.187.216.139,87.187.218.184,87.187.36.44,87.193.179.238,87.193.208.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 572"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523142; rev:3093;)
alert ip [87.205.153.191,87.206.52.43,87.219.93.174,87.230.25.149,87.231.28.173,87.236.194.23,87.236.215.156,87.236.215.83,87.236.27.155,87.254.66.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 573"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523144; rev:3093;)
alert ip [87.52.3.33,87.72.197.113,87.72.239.187,87.72.73.231,87.73.84.77,87.78.98.152,87.79.181.31,87.79.79.94,87.79.95.151,87.88.49.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 574"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523146; rev:3093;)
alert ip [87.92.163.24,87.98.180.9,87.98.185.5,87.98.243.150,87.98.245.84,88.109.16.208,88.113.152.171,88.130.97.249,88.130.99.84,88.152.235.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 575"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523148; rev:3093;)
alert ip [88.156.10.253,88.156.182.196,88.159.152.177,88.159.164.249,88.159.254.102,88.159.76.202,88.163.244.124,88.165.244.169,88.17.157.204,88.176.12.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523150; rev:3093;)
alert ip [88.180.173.63,88.187.120.90,88.187.233.27,88.188.17.198,88.191.138.57,88.191.212.33,88.193.129.197,88.193.138.181,88.193.200.225,88.198.107.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 577"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523152; rev:3093;)
alert ip [88.198.109.149,88.198.110.194,88.198.119.197,88.198.13.116,88.198.148.255,88.198.164.219,88.198.192.156,88.198.19.4,88.198.194.89,88.198.207.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523154; rev:3093;)
alert ip [88.198.44.145,88.198.6.3,88.198.70.137,88.204.112.242,88.208.121.78,88.208.220.123,88.21.232.113,88.217.143.53,88.64.76.6,88.66.247.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523156; rev:3093;)
alert ip [88.66.85.27,88.67.47.98,88.7.230.172,88.73.134.236,88.74.215.91,88.80.214.189,88.86.102.163,88.91.112.31,88.98.252.234,88.99.104.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 580"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523158; rev:3093;)
alert ip [88.99.141.248,88.99.14.92,88.99.162.199,88.99.169.186,88.99.170.243,88.99.172.64,88.99.174.144,88.99.186.21,88.99.189.0,88.99.199.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 581"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523160; rev:3093;)
alert ip [88.99.21.163,88.99.21.171,88.99.216.194,88.99.217.110,88.99.2.24,88.99.27.131,88.99.31.186,88.99.35.178,88.99.36.32,88.99.70.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 582"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523162; rev:3093;)
alert ip [88.99.90.203,88.99.96.224,89.0.158.33,89.0.53.125,89.100.9.6,89.102.142.167,89.107.155.162,89.111.20.68,89.12.177.229,89.1.28.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 583"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523164; rev:3093;)
alert ip [89.13.225.51,89.13.237.53,89.133.129.147,89.13.44.164,89.13.67.50,89.14.152.171,89.150.174.50,89.16.176.158,89.162.0.126,89.163.141.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 584"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523166; rev:3093;)
alert ip [89.163.141.116,89.163.146.41,89.163.210.163,89.163.210.164,89.163.211.42,89.163.216.165,89.163.219.118,89.163.219.27,89.163.224.187,89.163.224.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 585"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523168; rev:3093;)
alert ip [89.163.224.70,89.163.225.115,89.163.225.145,89.163.225.6,89.163.225.7,89.163.242.53,89.163.245.116,89.163.245.181,89.163.245.184,89.163.245.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 586"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523170; rev:3093;)
alert ip [89.163.246.127,89.163.246.250,89.163.247.115,89.163.249.200,89.163.249.201,89.166.124.13,89.173.212.31,89.175.27.163,89.176.17.234,89.179.119.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523172; rev:3093;)
alert ip [89.18.172.112,89.18.173.41,89.183.209.51,89.187.143.81,89.188.109.210,89.191.217.1,89.207.129.150,89.217.38.172,89.217.96.72,89.22.100.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523174; rev:3093;)
alert ip [89.221.210.122,89.221.210.151,89.223.27.241,89.22.97.193,89.2.29.89,89.23.229.110,89.234.182.176,89.234.186.18,89.236.144.248,89.238.178.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 589"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523176; rev:3093;)
alert ip [89.238.178.123,89.238.178.238,89.238.66.240,89.244.173.134,89.244.205.159,89.245.104.57,89.247.11.173,89.247.199.126,89.247.202.92,89.247.47.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 590"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523178; rev:3093;)
alert ip [89.247.61.188,89.247.6.83,89.248.170.227,89.249.65.6,89.33.246.114,89.33.6.24,89.34.237.13,89.34.237.21,89.34.237.230,89.35.134.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 591"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523180; rev:3093;)
alert ip [89.35.178.104,89.35.29.19,89.35.29.26,89.35.39.108,89.3.76.94,89.39.67.33,89.40.116.223,89.40.119.43,89.40.125.73,89.40.126.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 592"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523182; rev:3093;)
alert ip [89.45.67.137,89.46.100.162,89.46.100.71,89.46.222.254,89.46.70.98,89.67.100.248,89.71.161.30,89.73.57.178,89.82.171.44,89.89.43.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 593"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523184; rev:3093;)
alert ip [90.146.141.214,90.155.76.242,90.184.239.156,90.215.206.6,90.224.9.202,90.225.80.159,90.228.240.43,90.230.158.145,90.254.70.1,90.34.208.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 594"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523186; rev:3093;)
alert ip [90.3.4.65,90.45.213.132,90.65.63.146,90.79.101.154,90.79.169.1,90.87.129.49,90.90.170.255,90.92.136.122,91.100.103.196,91.105.203.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 595"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523188; rev:3093;)
alert ip [91.106.170.116,91.106.172.58,91.106.193.118,91.109.29.241,91.121.109.209,91.121.116.34,91.121.1.20,91.121.147.65,91.121.154.109,91.121.155.33] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 596"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523190; rev:3093;)
alert ip [91.121.158.17,91.121.160.215,91.121.160.6,91.121.166.152,91.121.16.67,91.121.177.171,91.121.183.178,91.121.192.154,91.121.195.169,91.121.205.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 597"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523192; rev:3093;)
alert ip [91.121.218.189,91.121.224.10,91.121.230.208,91.121.230.212,91.121.230.214,91.121.230.216,91.121.230.218,91.121.23.100,91.121.28.66,91.121.67.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 598"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523194; rev:3093;)
alert ip [91.121.73.223,91.121.76.175,91.121.78.119,91.121.79.188,91.121.82.25,91.121.83.108,91.121.84.137,91.121.85.130,91.121.89.201,91.121.98.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 599"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523196; rev:3093;)
alert ip [91.122.100.13,91.122.31.175,91.122.46.175,91.122.47.234,91.122.52.237,91.123.24.138,91.124.27.210,91.126.45.228,91.130.33.90,91.134.131.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 600"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523198; rev:3093;)
alert ip [91.134.133.88,91.134.135.12,91.134.137.99,91.134.140.21,91.134.180.240,91.134.217.18,91.134.237.118,91.136.164.146,91.138.71.236,91.143.80.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 601"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523200; rev:3093;)
alert ip [91.143.91.142,91.143.93.29,91.145.118.93,91.146.122.45,91.155.183.84,91.155.228.254,91.16.120.166,91.16.12.249,91.16.71.63,91.176.189.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 602"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523202; rev:3093;)
alert ip [91.176.51.65,91.17.82.134,91.18.230.84,91.186.57.78,91.18.81.173,91.188.125.128,91.190.234.66,91.19.232.150,91.194.90.103,91.198.212.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523204; rev:3093;)
alert ip [91.200.13.76,91.200.162.25,91.200.162.9,91.203.138.58,91.203.146.126,91.203.147.165,91.203.5.146,91.203.5.165,91.205.173.82,91.205.89.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 604"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523206; rev:3093;)
alert ip [91.210.104.91,91.210.106.134,91.211.107.172,91.211.247.112,91.211.247.71,91.213.233.107,91.213.233.138,91.213.233.194,91.213.233.60,91.213.8.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 605"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523208; rev:3093;)
alert ip [91.213.8.89,91.214.169.69,91.218.112.34,91.2.18.68,91.219.236.250,91.219.237.117,91.219.237.154,91.219.237.19,91.219.238.112,91.219.238.221] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 606"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523210; rev:3093;)
alert ip [91.219.238.224,91.219.239.121,91.219.239.92,91.219.28.211,91.219.28.85,91.219.28.99,91.219.29.157,91.219.29.188,91.219.29.238,91.220.145.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 607"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523212; rev:3093;)
alert ip [91.220.220.5,91.221.119.33,91.221.66.21,91.221.66.220,91.224.149.33,91.224.156.117,91.22.57.79,91.226.212.67,91.228.52.186,91.228.53.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 608"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523214; rev:3093;)
alert ip [91.229.20.27,91.229.76.124,91.231.86.101,91.231.86.204,91.233.106.237,91.233.116.119,91.233.116.51,91.233.133.244,91.236.116.36,91.236.116.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 609"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523216; rev:3093;)
alert ip [91.236.116.8,91.236.116.87,91.236.116.88,91.236.239.135,91.236.239.140,91.236.251.42,91.236.251.72,91.237.244.62,91.237.247.62,91.237.52.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 610"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523218; rev:3093;)
alert ip [91.237.88.108,91.239.232.81,91.240.229.195,91.247.251.26,91.248.53.93,91.250.100.7,91.250.84.156,91.34.243.67,91.37.97.140,91.39.101.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523220; rev:3093;)
alert ip [91.40.39.184,91.45.230.139,91.46.61.152,91.49.132.129,91.49.140.172,91.49.45.62,91.49.51.27,91.50.170.219,91.50.246.218,91.51.107.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 612"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523222; rev:3093;)
alert ip [91.51.134.4,91.54.179.239,91.54.201.162,91.62.254.228,91.63.50.152,91.64.27.10,91.64.51.214,91.65.105.24,91.65.134.181,91.65.191.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 613"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523224; rev:3093;)
alert ip [91.65.61.217,91.66.76.145,91.69.192.38,91.7.58.246,91.77.252.217,91.79.27.85,91.8.214.141,91.90.166.69,91.9.202.182,91.92.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 614"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523226; rev:3093;)
alert ip [91.9.216.25,91.96.2.188,91.97.3.133,92.104.238.109,92.111.4.177,92.151.189.187,92.167.38.82,92.169.22.209,92.169.48.59,92.177.28.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 615"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523228; rev:3093;)
alert ip [92.191.127.225,92.191.202.80,92.194.213.142,92.200.11.177,92.201.106.193,92.201.58.171,92.204.82.227,92.206.26.29,92.211.43.219,92.220.233.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 616"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523230; rev:3093;)
alert ip [92.220.40.210,92.222.115.28,92.222.162.54,92.222.180.10,92.222.181.104,92.222.181.123,92.222.207.227,92.222.22.113,92.222.22.37,92.222.22.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 617"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523232; rev:3093;)
alert ip [92.222.24.63,92.222.26.216,92.222.39.183,92.222.39.196,92.222.4.102,92.222.69.173,92.222.74.203,92.222.9.53,92.223.105.32,92.223.72.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 618"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523234; rev:3093;)
alert ip [92.226.164.131,92.243.0.179,92.243.30.208,92.243.69.105,92.247.51.169,92.249.143.119,92.255.176.138,92.255.207.89,92.27.7.209,92.39.246.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 619"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523236; rev:3093;)
alert ip [92.43.29.220,92.5.217.154,92.52.32.77,92.55.0.224,92.62.46.190,92.63.174.36,92.63.174.71,92.75.240.25,92.77.131.143,92.90.196.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 620"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523238; rev:3093;)
alert ip [93.100.231.62,93.100.237.212,93.104.208.119,93.104.209.158,93.104.209.61,93.104.213.65,93.104.83.158,93.115.241.194,93.115.241.2,93.115.241.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 621"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523240; rev:3093;)
alert ip [93.115.29.86,93.115.82.180,93.115.84.143,93.115.91.66,93.115.95.38,93.115.96.15,93.115.97.242,93.123.90.13,93.137.196.134,93.144.157.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 622"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523242; rev:3093;)
alert ip [93.144.207.182,93.152.159.223,93.157.51.22,93.158.216.142,93.170.77.90,93.180.136.43,93.180.154.94,93.180.156.84,93.180.157.154,93.181.102.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 623"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523244; rev:3093;)
alert ip [93.184.24.182,93.186.200.68,93.188.161.109,93.188.161.36,93.190.141.115,93.195.42.20,93.198.166.25,93.198.177.109,93.198.177.91,93.200.157.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523246; rev:3093;)
alert ip [93.202.182.34,93.202.247.222,93.203.122.229,93.204.19.216,93.205.162.51,93.205.164.158,93.205.168.70,93.206.105.74,93.211.208.22,93.212.72.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 625"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523248; rev:3093;)
alert ip [93.215.24.154,93.215.33.5,93.218.105.12,93.218.57.71,93.21.95.172,93.219.95.188,93.220.11.110,93.220.2.212,93.220.76.73,93.225.115.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 626"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523250; rev:3093;)
alert ip [93.225.189.24,93.226.250.177,93.227.133.182,93.227.45.40,93.228.169.102,93.228.170.48,93.230.171.235,93.230.27.178,93.231.225.100,93.231.227.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 627"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523252; rev:3093;)
alert ip [93.233.108.105,93.237.129.27,93.237.143.17,93.237.145.128,93.238.176.157,93.239.20.192,93.244.1.171,93.244.226.172,93.29.252.27,93.55.225.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 628"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523254; rev:3093;)
alert ip [93.58.11.24,93.72.198.81,93.72.89.51,93.73.103.6,93.76.246.35,93.80.95.169,93.89.101.27,93.91.157.42,93.92.203.113,93.92.205.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 629"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523256; rev:3093;)
alert ip [93.95.100.138,93.95.100.166,93.95.100.202,93.95.227.245,93.95.228.49,94.100.21.162,94.100.23.18,94.100.23.26,94.100.31.194,94.100.6.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 630"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523258; rev:3093;)
alert ip [94.100.6.27,94.112.217.77,94.126.170.165,94.130.10.251,94.130.21.85,94.130.31.206,94.130.32.101,94.130.34.199,94.130.52.205,94.130.58.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 631"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523260; rev:3093;)
alert ip [94.130.68.230,94.130.69.171,94.130.79.44,94.132.132.205,94.134.172.71,94.140.120.130,94.140.120.44,94.142.241.138,94.142.245.206,94.14.38.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 632"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523262; rev:3093;)
alert ip [94.155.122.185,94.155.49.47,94.156.128.10,94.156.175.120,94.156.175.157,94.156.175.174,94.16.137.7,94.16.173.106,94.176.139.186,94.177.228.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523264; rev:3093;)
alert ip [94.177.246.37,94.180.103.5,94.180.91.6,94.181.44.45,94.181.45.237,94.185.90.86,94.19.12.244,94.19.14.183,94.198.100.18,94.198.100.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523266; rev:3093;)
alert ip [94.198.68.92,94.198.98.21,94.198.98.35,94.198.98.61,94.198.98.71,94.21.108.113,94.212.20.248,94.214.190.171,94.214.240.71,94.222.19.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523268; rev:3093;)
alert ip [94.223.83.204,94.225.100.84,94.226.151.128,94.228.86.11,94.22.93.92,94.230.202.199,94.23.1.164,94.23.13.107,94.23.144.49,94.23.150.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523270; rev:3093;)
alert ip [94.23.153.241,94.23.154.36,94.23.168.235,94.23.173.93,94.23.174.26,94.23.17.58,94.23.18.169,94.23.20.28,94.23.203.74,94.23.204.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 637"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523272; rev:3093;)
alert ip [94.23.207.40,94.23.212.220,94.23.213.46,94.23.247.125,94.23.247.42,94.23.248.158,94.23.252.71,94.23.27.228,94.23.29.204,94.23.7.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 638"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523274; rev:3093;)
alert ip [94.23.78.159,94.23.78.34,94.23.89.90,94.23.9.194,94.241.32.11,94.242.209.121,94.242.209.244,94.242.222.129,94.242.222.176,94.242.222.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 639"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523276; rev:3093;)
alert ip [94.242.222.62,94.242.222.66,94.242.228.174,94.242.250.118,94.242.254.91,94.242.255.112,94.242.57.112,94.242.57.164,94.242.58.151,94.242.58.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 640"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523278; rev:3093;)
alert ip [94.242.58.233,94.242.59.147,94.242.59.47,94.247.43.246,94.248.21.145,94.252.108.192,94.254.19.150,94.254.35.25,94.254.40.64,94.31.53.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523280; rev:3093;)
alert ip [94.60.255.42,94.74.81.113,94.79.137.182,94.79.173.226,95.105.221.15,95.109.122.144,95.111.56.101,95.113.220.3,95.113.254.113,95.129.164.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523282; rev:3093;)
alert ip [95.130.11.15,95.130.11.186,95.130.11.5,95.130.12.119,95.130.12.12,95.130.9.76,95.133.43.144,95.141.32.76,95.141.35.15,95.141.44.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 643"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523284; rev:3093;)
alert ip [95.141.44.66,95.141.46.172,95.141.83.146,95.142.160.233,95.143.172.140,95.143.172.188,95.143.172.212,95.143.172.214,95.143.192.12,95.143.192.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523286; rev:3093;)
alert ip [95.143.193.145,95.143.193.19,95.143.193.20,95.146.129.169,95.151.73.17,95.153.31.8,95.153.32.10,95.156.95.8,95.161.4.34,95.165.133.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 645"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523288; rev:3093;)
alert ip [95.165.143.112,95.165.166.133,95.169.188.103,95.183.48.40,95.183.50.138,95.183.51.126,95.183.51.160,95.183.52.172,95.183.55.53,95.183.55.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 646"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523290; rev:3093;)
alert ip [95.188.94.18,95.211.101.141,95.211.138.51,95.211.138.7,95.211.153.12,95.211.156.164,95.211.160.148,95.211.169.34,95.211.186.80,95.211.205.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523292; rev:3093;)
alert ip [95.211.209.73,95.211.210.72,95.211.211.240,95.211.224.12,95.211.225.167,95.211.7.158,95.211.94.113,95.213.11.175,95.213.149.166,95.213.182.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 648"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523294; rev:3093;)
alert ip [95.213.207.165,95.215.44.102,95.215.44.105,95.215.44.167,95.215.44.88,95.215.45.138,95.215.45.142,95.215.45.188,95.215.45.236,95.215.46.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523296; rev:3093;)
alert ip [95.215.46.69,95.215.47.206,95.215.61.4,95.223.83.22,95.23.149.72,95.27.167.103,95.27.196.229,95.28.56.2,95.31.19.171,95.31.24.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523298; rev:3093;)
alert ip [95.31.38.209,95.33.74.90,95.37.235.44,95.42.126.167,95.57.120.117,95.58.170.163,95.71.126.230,95.71.255.254,95.72.8.104,95.79.229.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 651"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523300; rev:3093;)
alert ip [95.79.96.7,95.80.44.100,95.80.45.74,95.84.164.34,95.84.209.126,95.85.1.113,95.85.19.162,95.85.20.73,95.85.32.10,95.85.34.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523302; rev:3093;)
alert ip [95.85.37.111,95.85.38.152,95.85.8.226,95.86.193.186,95.88.112.11,95.90.178.205,95.91.100.114,95.91.1.149,95.91.38.156,96.126.105.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 653"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523304; rev:3093;)
alert ip [96.126.125.187,96.126.96.9,96.126.96.90,96.18.182.94,96.230.56.58,96.234.163.101,96.239.122.20,96.240.10.123,96.242.253.84,96.248.12.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 654"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523306; rev:3093;)
alert ip [96.253.78.108,96.255.206.102,96.35.69.1,96.65.123.249,96.65.68.193,96.68.219.29,96.68.60.77,96.81.131.84,96.92.118.50,96.92.142.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 655"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523308; rev:3093;)
alert ip [96.9.242.48,97.107.132.24,97.107.138.68,97.107.139.108,97.107.139.28,97.107.142.234,97.113.14.165,97.86.44.160,97.90.130.111,97.95.35.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 656"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523310; rev:3093;)
alert ip [97.99.128.23,98.115.57.155,98.116.98.49,98.193.192.116,98.200.162.245,98.201.49.226,98.206.202.53,98.214.167.61,98.216.134.151,98.217.121.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 657"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523312; rev:3093;)
alert ip [98.217.8.51,98.220.250.164,98.233.45.225,98.235.185.167,99.164.139.172,99.225.25.117,99.230.190.118,99.247.229.177,99.248.248.37,99.51.71.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 658"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523314; rev:3093;)

86
code/chef/templates/mac_os_x/compromised.rules.erb Executable file
View file

@ -0,0 +1,86 @@
#
# $Id: emerging-compromised.rules
# Rules to block known hostile or compromised hosts. These lists are updated daily or better from many sources
#
#Sources include:
#
# Daniel Gerzo's BruteForceBlocker
# http://danger.rulez.sk/projects/bruteforceblocker/
#
# The OpenBL
# http://www.openbl.org/ (formerly sshbl.org)
#
# And the Emerging Threats Sandnet and SidReporter Projects
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 4467
# Generated 2017-09-22 00:30:02 EDT
alert ip [101.132.70.58,101.226.164.254,101.230.200.173,101.231.117.54,101.236.51.134,101.251.201.246,101.64.237.31,101.79.44.115,103.17.51.78,103.207.36.217,103.207.36.220,103.207.36.225,103.207.36.226,103.207.36.246,103.207.36.251,103.207.36.84,103.207.37.200,103.207.38.144,103.207.38.178,103.207.38.202,103.207.38.86,103.207.39.125,103.207.39.203,103.210.239.167,103.212.222.16,103.212.223.150,103.212.223.42,103.217.152.20,103.228.152.141,103.237.56.230] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4467;)
alert ip [103.27.239.143,103.28.38.74,103.45.5.85,103.53.77.118,103.69.219.46,103.71.255.27,103.73.86.76,103.79.142.18,103.89.88.138,103.89.88.147,103.89.88.168,103.89.88.64,103.89.88.86,103.89.88.95,103.89.88.98,103.89.90.28,103.90.226.162,103.9.156.251,104.130.138.184,104.131.40.115,104.131.41.77,104.131.73.27,104.154.89.43,104.168.235.233,104.192.3.34,104.192.3.46,104.193.10.228,104.198.193.205,104.203.45.174,104.211.183.174] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500002; rev:4467;)
alert ip [104.218.140.228,104.223.123.98,104.238.95.233,104.244.77.64,104.244.78.156,104.37.214.97,104.42.197.23,105.209.67.118,105.225.167.218,106.112.59.106,106.172.82.195,106.247.22.57,106.254.62.123,106.38.252.50,106.39.70.232,106.39.93.84,106.51.1.164,106.51.44.4,106.57.168.64,106.75.134.62,106.75.143.3,106.75.48.185,106.75.71.224,107.132.53.129,107.167.184.140,107.175.145.42,108.14.52.60,108.162.151.203,108.172.246.196,108.172.71.183] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500004; rev:4467;)
alert ip [108.173.38.92,108.180.129.213,108.208.120.134,108.48.123.223,108.58.41.139,108.61.166.208,109.110.63.131,109.171.3.184,109.195.1.224,109.204.44.230,109.205.136.10,109.206.50.173,109.230.0.69,109.30.27.127,109.98.100.108,110.200.221.235,110.20.113.244,110.228.34.174,110.45.165.12,110.45.244.113,110.8.188.38,111.119.197.73,111.122.211.147,111.125.89.10,111.127.116.215,111.194.196.27,111.204.175.228,111.205.121.92,111.206.115.107,111.231.194.103] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500006; rev:4467;)
alert ip [111.26.139.65,111.26.182.3,111.39.46.47,111.89.5.185,112.101.172.18,112.148.101.13,112.161.232.55,112.4.81.93,112.5.140.230,112.64.33.92,112.81.182.17,112.82.237.169,113.105.152.226,113.116.60.141,113.122.140.67,113.124.141.122,113.124.141.48,113.141.70.163,113.178.66.10,113.179.135.18,113.195.226.160,113.200.203.102,113.201.169.192,113.247.233.90,113.252.218.53,113.252.222.216,113.57.160.51,113.77.11.29,114.112.65.226,114.113.101.107] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500008; rev:4467;)
alert ip [114.207.102.52,114.34.101.101,115.159.152.47,115.195.208.191,115.209.180.49,115.213.144.133,115.231.8.12,115.231.94.238,115.236.47.25,115.236.47.27,115.249.75.29,115.25.138.222,115.68.3.153,116.101.123.47,116.101.17.10,116.107.220.24,116.107.221.141,116.107.223.107,116.15.8.12,116.196.108.252,116.196.84.88,116.231.57.98,116.246.11.101,1.164.9.109,116.62.155.36,117.107.159.144,117.146.60.13,117.18.105.172,117.2.123.42,117.48.194.129] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500010; rev:4467;)
alert ip [117.79.147.217,118.140.111.22,118.144.138.200,118.144.138.203,118.151.209.235,118.165.126.206,118.179.220.203,118.180.18.102,118.186.21.234,118.186.36.50,118.221.123.174,118.221.201.81,118.244.238.14,118.244.238.18,118.244.238.19,118.244.238.4,118.26.170.129,118.32.27.85,118.34.18.148,118.89.239.137,119.14.160.126,119.146.201.177,119.192.239.231,119.195.208.150,119.197.4.164,119.236.181.148,119.254.153.43,119.44.217.220,119.52.229.151,120.132.113.76] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500012; rev:4467;)
alert ip [120.132.113.82,120.132.113.84,120.132.113.85,120.132.14.35,120.132.30.150,1.202.166.74,120.234.5.228,120.237.101.134,120.52.118.33,120.52.56.152,120.77.204.253,120.83.5.28,120.89.29.132,1.209.148.74,120.92.74.178,120.92.85.3,121.12.120.171,121.129.186.183,121.159.89.132,121.160.21.13,121.177.23.189,121.194.2.248,121.201.18.228,121.35.209.94,121.46.31.50,121.56.147.48,121.78.87.138,121.8.107.234,121.96.57.204,122.114.213.144] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500014; rev:4467;)
alert ip [122.117.90.221,122.146.46.145,122.207.17.20,122.224.144.131,122.228.196.166,122.228.249.84,122.243.182.219,122.46.210.188,122.72.22.132,123.122.123.172,123.132.243.89,123.134.87.51,123.150.101.229,123.150.108.238,123.16.84.49,123.169.170.158,123.169.192.151,123.169.192.77,123.169.200.247,123.171.114.246,123.184.35.48,123.196.120.135,123.207.236.127,123.207.242.81,123.247.9.244,123.249.20.27,123.249.20.31,1.234.4.14,123.96.186.129,123.96.49.127] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500016; rev:4467;)
alert ip [124.117.241.152,1.241.184.143,124.135.31.202,124.205.195.3,124.207.190.60,124.251.36.75,124.42.66.91,124.61.247.61,124.67.81.2,124.90.206.204,125.100.114.3,125.121.111.64,125.123.155.119,125.130.103.130,125.208.29.140,125.212.253.176,125.34.210.238,125.75.207.25,126.25.84.195,128.199.112.13,128.199.62.192,1.28.86.194,129.121.178.56,129.125.75.199,131.255.6.32,132.148.133.186,133.232.74.108,134.19.181.20,13.54.136.89,13.59.109.162] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500018; rev:4467;)
alert ip [136.144.156.254,137.186.227.52,137.44.3.243,13.75.158.218,13.76.245.100,137.74.6.238,13.81.217.61,138.197.101.38,138.197.103.4,13.84.188.226,138.68.239.21,138.68.5.130,139.159.220.163,139.219.103.115,139.219.190.2,139.219.70.7,139.255.93.122,139.5.71.112,139.59.123.240,139.59.123.37,139.59.18.218,139.99.104.118,140.114.75.64,140.207.213.31,140.207.2.182,140.255.69.150,140.255.99.4,141.105.69.248,14.163.184.137,14.166.71.61] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500020; rev:4467;)
alert ip [14.169.1.86,14.177.68.22,14.198.124.91,14.204.87.108,14.228.254.184,14.235.138.51,14.29.118.197,14.34.27.163,144.0.242.178,144.217.128.26,144.217.146.49,144.48.168.8,145.249.106.104,14.58.109.187,14.58.118.69,146.148.108.195,14.63.165.247,147.135.136.81,147.135.226.50,147.178.194.71,149.56.128.14,149.56.180.126,149.56.223.104,151.84.133.210,152.149.59.147,152.204.2.160,153.127.194.180,153.166.65.77,154.0.165.125,154.0.169.254] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500022; rev:4467;)
alert ip [155.133.82.12,156.67.106.30,157.7.137.248,159.203.102.134,159.203.104.139,159.203.66.209,159.203.68.222,159.203.90.141,159.203.93.23,159.224.62.130,159.226.162.195,160.202.161.28,160.202.161.30,160.3.126.165,162.223.162.11,162.223.162.62,162.243.170.180,162.253.41.66,162.253.42.106,163.172.118.208,163.172.119.32,163.172.125.238,163.172.135.37,163.172.167.129,163.172.170.212,163.172.174.231,163.172.200.128,163.172.223.87,163.172.48.201,163.172.67.180] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500024; rev:4467;)
alert ip [164.132.51.91,164.177.113.231,165.227.109.171,165.227.124.196,165.227.124.86,165.227.144.103,166.111.131.71,166.62.40.246,167.114.61.195,167.250.73.80,168.1.128.133,168.235.102.145,168.235.89.230,168.70.82.160,169.50.107.11,169.50.86.185,169.50.86.187,169.50.86.188,169.50.86.190,169.50.86.191,170.250.90.139,171.234.231.115,171.245.13.106,171.25.165.26,173.0.52.106,173.16.233.5,173.166.99.116,173.198.206.107,173.212.222.115,173.214.175.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500026; rev:4467;)
alert ip [173.254.233.195,173.63.215.158,174.100.60.23,174.138.80.41,175.125.93.32,175.126.232.29,175.139.173.1,175.156.152.231,175.207.20.177,175.99.86.177,176.105.180.147,176.126.252.11,176.162.154.1,176.9.156.75,177.11.50.67,177.155.104.44,177.182.109.43,177.201.127.209,177.240.165.184,177.55.160.207,177.55.98.244,177.67.82.109,177.99.236.237,178.124.171.187,178.159.36.6,178.159.37.11,178.170.172.85,178.17.173.74,178.238.239.123,178.239.62.109] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500028; rev:4467;)
alert ip [178.62.34.57,178.62.95.5,178.73.195.109,178.93.174.229,179.159.163.243,179.198.1.41,179.41.195.194,180.101.143.2,180.150.224.2,180.150.224.4,180.153.151.93,180.153.19.139,180.166.22.98,180.168.166.121,180.168.76.230,180.169.129.228,180.175.55.213,180.76.140.154,180.76.150.192,180.76.165.244,181.168.78.160,181.214.205.130,181.214.87.4,181.26.141.193,182.126.102.242,182.163.126.241,182.18.153.206,182.245.29.89,182.253.226.82,182.253.66.2] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500030; rev:4467;)
alert ip [182.36.201.180,182.38.118.131,182.45.108.45,182.45.43.33,182.45.45.24,18.248.2.85,183.136.188.116,183.152.50.38,183.152.95.93,183.214.148.89,183.239.228.51,183.87.56.75,183.91.0.68,184.149.38.74,185.100.84.108,185.107.94.40,185.140.120.153,185.156.173.106,185.165.29.111,185.165.29.116,185.165.29.122,185.165.29.128,185.165.29.23,185.165.29.50,185.165.29.69,185.165.29.77,185.165.29.78,185.168.242.215,185.200.35.233,185.200.35.3] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500032; rev:4467;)
alert ip [185.2.82.45,185.48.207.32,185.55.218.100,185.55.218.34,185.55.218.95,185.56.81.2,185.67.3.144,185.74.36.30,185.8.50.36,186.227.226.158,186.227.234.116,186.4.156.124,187.177.120.75,187.18.54.167,187.18.58.193,187.189.153.69,187.22.231.227,187.84.3.188,188.0.67.184,188.120.254.159,188.121.2.243,188.121.26.102,188.152.201.116,188.165.230.6,188.166.175.211,188.166.34.129,188.187.121.39,188.190.59.137,188.243.168.56,189.114.229.185] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500034; rev:4467;)
alert ip [189.169.197.102,189.224.143.228,189.28.12.34,189.39.120.230,189.55.139.237,190.107.225.54,190.107.81.2,190.110.88.164,190.110.89.82,190.110.90.118,190.110.91.217,190.110.94.208,190.110.94.97,190.116.182.154,190.174.203.127,190.196.156.134,190.197.53.146,190.205.38.222,190.210.244.236,190.215.115.50,190.45.3.201,190.48.135.240,190.85.6.90,190.97.205.89,190.98.207.226,191.101.235.232,191.96.112.105,191.96.112.106,191.96.112.107,191.96.112.111] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500036; rev:4467;)
alert ip [191.96.112.112,191.96.249.114,191.96.249.145,191.96.249.156,191.96.249.38,191.96.249.82,192.129.162.2,192.241.225.16,192.248.87.22,193.104.205.177,193.111.63.192,193.201.224.208,193.201.224.212,193.201.224.214,193.201.224.216,193.201.224.218,193.201.224.232,193.34.144.30,193.40.7.6,193.93.217.142,194.105.205.42,194.213.34.106,194.2.209.2,194.33.76.162,195.154.255.158,195.154.34.127,195.154.37.186,195.154.55.131,195.171.242.187,195.22.126.177] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500038; rev:4467;)
alert ip [195.225.224.38,195.62.53.126,196.52.32.17,197.231.221.211,198.12.152.136,198.167.136.101,198.199.112.44,198.199.113.122,198.211.121.75,198.24.186.34,198.255.146.211,198.98.50.113,198.98.51.117,198.98.57.188,198.98.57.32,198.98.59.151,198.98.60.112,198.98.60.239,198.98.60.72,198.98.61.180,198.98.61.33,199.168.100.164,199.195.248.31,199.195.249.132,199.195.250.64,199.27.250.119,199.76.14.51,200.17.252.12,200.56.109.119,200.68.66.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500040; rev:4467;)
alert ip [201.144.84.82,201.178.158.127,201.178.184.127,201.193.197.106,201.232.89.209,201.249.207.212,201.48.226.19,202.107.104.119,202.108.199.14,202.129.207.109,202.131.237.149,202.201.64.102,202.29.153.142,202.55.93.98,202.73.50.214,202.80.184.2,202.85.222.225,203.126.140.172,203.128.73.185,203.174.85.138,203.195.160.105,203.215.172.170,203.254.127.19,203.80.94.137,203.86.69.132,204.152.209.14,204.188.251.130,205.185.113.181,207.138.132.44,207.195.19.153] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500042; rev:4467;)
alert ip [207.81.165.45,208.66.77.245,208.98.22.130,209.10.82.200,209.15.218.187,209.188.19.226,209.213.170.114,209.239.114.231,209.239.123.90,209.243.10.198,209.92.176.105,209.92.176.114,210.140.10.72,210.212.210.86,210.245.32.72,210.84.44.200,210.94.133.8,211.110.139.215,211.168.232.5,211.195.14.39,211.215.174.144,211.216.123.97,211.226.176.47,211.249.35.203,211.249.35.205,211.57.201.184,211.64.35.129,212.109.221.169,212.129.13.232,212.129.59.195] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500044; rev:4467;)
alert ip [212.143.128.139,212.159.139.204,212.237.37.123,212.237.40.247,212.237.40.48,212.237.41.114,212.237.42.218,212.237.42.252,212.237.42.61,212.237.43.138,212.237.43.44,212.237.44.26,212.237.45.105,212.237.45.188,212.237.45.212,212.237.45.84,212.237.46.210,212.47.243.174,212.47.250.7,212.51.189.201,212.83.136.196,212.83.141.81,212.83.147.105,212.85.202.67,213.113.215.115,213.136.81.74,213.136.94.221,213.149.105.28,213.32.69.137,213.74.201.146] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500046; rev:4467;)
alert ip [213.74.55.250,213.78.109.14,216.168.110.244,216.223.112.22,216.245.209.78,216.98.212.11,217.111.170.195,217.170.205.103,217.23.138.22,217.23.15.165,217.46.196.74,217.57.147.180,217.61.18.106,217.65.2.116,218.103.98.209,218.106.244.93,218.108.206.56,218.148.4.24,218.15.163.100,218.156.193.236,218.2.15.138,218.28.55.134,218.29.188.109,218.32.45.19,218.52.219.225,218.5.76.147,218.63.248.173,218.79.14.243,218.9.118.187,219.116.11.89] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500048; rev:4467;)
alert ip [219.159.249.219,219.221.10.99,219.239.227.252,219.239.227.253,220.130.148.106,220.149.235.114,220.72.146.117,220.85.152.96,221.135.104.112,221.145.110.21,221.148.106.180,221.163.191.92,221.192.4.18,222.107.38.1,222.161.37.110,222.220.93.11,222.237.36.38,222.38.230.2,222.73.12.22,2.228.167.211,222.84.159.196,222.91.125.174,222.99.52.246,223.112.4.242,223.112.77.186,223.112.87.85,223.166.92.4,223.30.251.140,223.68.134.29,2.24.131.203] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500050; rev:4467;)
alert ip [23.129.64.12,23.30.57.83,24.119.126.64,24.46.10.22,24.80.229.169,24.87.106.109,2.50.47.6,27.118.21.218,27.16.159.23,27.19.1.251,27.210.14.232,27.219.169.241,27.255.65.189,27.255.79.21,27.255.79.7,27.54.162.253,27.64.38.194,27.73.14.63,27.73.87.164,31.172.247.106,31.172.80.188,31.173.128.149,31.207.47.53,31.37.37.187,35.162.178.210,35.190.149.252,35.193.213.56,35.193.231.245,35.199.187.166,36.67.37.95] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500052; rev:4467;)
alert ip [36.7.87.34,37.221.242.40,37.49.224.119,37.49.225.93,37.57.17.101,39.108.169.46,40.113.22.5,40.121.158.5,40.121.221.115,40.69.164.199,40.71.206.237,40.71.222.21,40.71.82.183,40.83.253.82,40.83.255.188,40.86.186.117,41.190.93.225,41.210.160.3,41.76.226.88,41.77.222.57,41.78.78.66,42.112.26.24,42.115.138.8,42.159.204.117,42.159.249.108,42.159.250.5,42.55.73.197,42.62.73.85,42.93.81.115,42.94.140.79] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500054; rev:4467;)
alert ip [45.116.80.242,45.249.247.80,45.251.43.189,45.32.236.123,45.32.39.134,45.32.47.58,45.32.60.87,45.55.186.166,45.55.216.145,45.55.4.137,45.56.30.99,45.63.104.148,45.63.35.50,45.76.104.223,45.76.186.62,45.76.198.131,45.76.216.217,45.76.218.238,45.76.220.58,45.76.221.116,45.76.223.152,45.76.53.82,45.79.200.100,46.101.9.80,46.148.20.25,46.164.186.33,46.165.223.217,46.166.185.14,46.17.44.94,46.183.217.165] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500056; rev:4467;)
alert ip [46.18.3.47,46.188.19.235,46.39.222.2,46.41.134.10,46.4.71.142,46.6.48.15,47.154.229.1,47.22.51.154,47.90.201.99,47.90.202.171,47.90.204.225,47.92.158.26,47.93.223.84,49.116.146.210,49.176.210.112,49.177.224.46,49.207.182.120,49.236.203.74,49.248.152.178,49.51.37.225,50.115.166.21,50.115.166.22,50.116.55.19,50.117.38.106,50.117.86.160,50.118.255.159,50.19.160.96,50.226.124.68,50.247.173.145,50.248.163.25] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500058; rev:4467;)
alert ip [50.62.56.171,5.101.40.37,5.101.40.38,5.101.40.62,5.102.224.212,51.15.141.220,51.15.39.26,51.15.64.212,51.254.101.200,51.254.34.30,51.255.202.66,5.135.21.155,5.135.212.153,5.188.10.156,5.188.10.175,5.188.10.176,5.188.10.178,5.188.10.179,5.188.10.180,5.188.10.182,5.189.153.129,52.124.71.138,52.144.39.97,52.165.220.242,52.166.112.31,52.168.179.155,52.168.180.139,52.187.131.166,5.226.174.124,5.249.146.145] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500060; rev:4467;)
alert ip [52.64.87.237,52.88.81.95,5.39.217.25,54.245.26.231,5.79.105.11,5.8.18.184,5.8.18.190,58.187.120.180,58.218.213.65,58.221.249.102,58.227.192.158,58.241.120.6,58.242.74.231,58.246.118.252,58.249.54.22,58.30.96.130,58.30.96.133,58.30.96.143,58.46.245.50,58.62.144.229,59.12.201.230,59.13.69.5,59.15.95.50,59.16.74.234,59.175.153.94,59.19.177.128,59.27.218.55,59.49.46.60,59.56.69.126,60.12.229.225] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500062; rev:4467;)
alert ip [60.124.22.115,60.13.74.216,60.176.158.242,60.206.137.145,60.208.139.180,60.222.116.99,61.147.68.166,61.161.143.179,61.164.46.188,61.176.218.19,61.197.164.161,61.216.155.200,61.216.38.102,61.219.149.59,61.240.159.244,61.8.249.89,62.152.32.179,62.164.145.253,62.210.130.150,62.210.15.114,62.210.169.48,62.210.97.105,62.219.209.70,62.64.154.18,62.76.177.98,62.76.185.15,62.76.187.122,62.76.191.87,62.76.42.249,62.76.42.62] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500064; rev:4467;)
alert ip [62.76.42.99,62.76.44.35,63.135.10.242,64.113.32.29,64.137.192.185,64.50.176.226,64.59.144.120,64.66.226.188,64.71.135.233,65.130.73.219,66.201.100.124,66.35.51.195,66.35.51.198,66.58.155.50,66.58.199.149,66.76.143.225,66.96.203.242,67.205.138.240,67.205.185.191,69.131.92.126,71.230.124.219,72.34.55.130,72.35.252.25,73.207.67.124,73.223.158.230,73.231.34.71,73.235.81.87,73.32.240.93,74.208.155.102,74.208.45.40] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500066; rev:4467;)
alert ip [74.52.53.204,76.164.197.48,76.191.17.120,76.74.219.170,76.8.60.134,77.105.1.80,77.123.76.69,77.242.132.150,77.72.82.171,77.72.82.199,77.72.83.249,77.72.85.100,77.81.226.157,78.113.206.194,78.129.10.146,78.138.91.6,78.146.59.79,78.188.21.107,78.195.178.119,78.203.141.125,78.203.248.197,78.211.73.147,78.224.40.128,78.245.236.138,78.43.104.193,78.47.64.211,79.106.161.36,79.137.39.158,79.143.191.24,79.148.105.88] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500068; rev:4467;)
alert ip [79.46.205.166,80.11.28.58,80.14.151.90,80.211.226.174,80.211.231.211,80.211.232.174,80.216.42.120,80.243.184.26,80.26.255.232,80.77.43.49,80.82.64.203,80.98.98.181,81.137.199.29,81.143.231.26,81.167.233.182,81.169.143.207,81.171.24.61,81.171.58.49,81.171.85.84,81.17.30.208,81.17.31.250,81.57.126.72,81.95.140.244,82.102.216.128,82.127.48.23,82.185.231.221,82.193.124.36,82.202.245.51,82.211.49.197,82.213.2.18] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500070; rev:4467;)
alert ip [82.228.240.199,82.246.170.196,82.6.131.182,82.98.139.229,83.209.114.167,83.220.169.203,83.246.164.83,84.105.201.12,84.107.154.75,84.200.7.180,84.237.16.110,84.55.161.158,85.195.226.180,85.195.48.166,85.230.149.52,85.247.95.85,85.90.210.87,86.109.170.96,86.164.122.219,86.57.164.109,86.57.168.86,86.88.141.158,87.106.71.197,87.126.129.215,87.85.170.35,88.127.227.155,88.147.17.251,88.212.206.44,88.99.38.116,89.108.109.46] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500072; rev:4467;)
alert ip [89.108.87.179,89.212.50.176,89.216.97.113,89.225.201.101,89.239.24.62,89.250.84.2,89.251.98.4,89.38.98.6,89.38.98.66,89.87.178.129,90.137.13.61,90.176.140.1,90.84.45.108,91.121.117.6,91.121.14.122,91.134.133.251,91.134.214.132,91.197.232.103,91.197.232.109,92.113.108.27,92.177.78.25,92.220.16.32,92.222.77.85,92.87.236.139,92.87.236.17,92.87.236.189,93.103.212.84,93.170.190.94,93.171.247.91,93.174.89.85] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500074; rev:4467;)
alert ip [93.174.93.10,93.174.93.71,93.174.94.253,93.190.140.112,93.212.109.60,93.42.185.41,94.102.51.26,94.177.207.42,94.177.217.169,94.177.218.163,94.177.244.134,94.200.147.213,94.231.4.132,94.231.82.19,94.23.210.41,94.23.59.133,94.74.81.29,95.110.224.97,95.169.50.213,95.179.32.4,95.213.202.178,95.215.62.242,95.240.135.79,95.85.25.122,96.22.196.161,96.231.43.95,96.239.59.131,96.33.76.87,98.110.245.232,98.160.239.31] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500076; rev:4467;)

73
code/chef/templates/mac_os_x/drop.rules.erb Executable file
View file

@ -0,0 +1,73 @@
#
# $Id: emerging-drop.rules $
# Emerging Threats Spamhaus DROP List rules.
#
# Rules to block Spamhaus DROP listed networks (www.spamhaus.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 2619
# Generated 2017-09-17 00:05:01 EDT
alert ip [5.134.128.0/19,5.157.0.0/18,14.4.0.0/14,23.226.48.0/20,23.246.128.0/18,23.251.224.0/19,24.51.0.0/19,24.233.0.0/19,27.126.160.0/20,31.11.43.0/24,31.184.238.0/24,31.222.200.0/21,36.0.8.0/21,36.37.48.0/20,36.93.0.0/16,36.116.0.0/16,36.119.0.0/16,36.255.212.0/22,37.18.42.0/24,37.139.49.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2619;)
alert ip [42.1.56.0/22,42.1.128.0/17,42.52.0.0/14,42.83.80.0/22,42.96.0.0/18,42.123.36.0/22,42.128.0.0/12,42.160.0.0/12,42.194.8.0/22,42.194.12.0/22,42.194.128.0/17,42.208.0.0/12,43.229.52.0/22,43.236.0.0/16,43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,43.252.180.0/22,45.4.128.0/22,45.4.136.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2619;)
alert ip [46.29.248.0/22,46.29.248.0/21,46.151.48.0/21,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,46.243.173.0/24,49.8.0.0/14,49.238.64.0/18,59.254.0.0/15,60.233.0.0/16,61.11.224.0/19,61.13.128.0/17,61.14.224.0/22,61.45.251.0/24,66.98.112.0/20,66.231.64.0/20,67.213.112.0/20,67.213.136.0/21,67.219.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2619;)
alert ip [79.110.17.0/24,79.110.18.0/24,79.110.19.0/24,79.110.25.0/24,79.173.104.0/21,83.175.0.0/18,84.238.160.0/22,85.93.5.0/24,85.121.39.0/24,86.55.40.0/23,86.55.42.0/23,91.194.254.0/23,91.200.12.0/22,91.200.248.0/22,91.207.4.0/22,91.209.12.0/24,91.212.104.0/24,91.212.124.0/24,91.213.126.0/24,91.217.10.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2619;)
alert ip [91.230.252.0/23,91.234.36.0/24,91.235.2.0/24,91.236.74.0/23,91.238.82.0/24,91.240.165.0/24,93.179.89.0/24,93.179.90.0/24,93.179.91.0/24,95.216.0.0/15,101.192.0.0/14,101.202.0.0/16,101.203.128.0/19,101.248.0.0/15,101.252.0.0/15,103.2.44.0/22,103.16.76.0/24,103.23.8.0/22,103.36.64.0/22,103.57.248.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2619;)
alert ip [103.197.8.0/22,103.205.84.0/22,103.207.160.0/22,103.210.12.0/22,103.215.80.0/22,103.227.4.0/22,103.228.8.0/22,103.229.36.0/22,103.229.40.0/22,103.230.144.0/22,103.231.84.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.56.0/22,104.36.184.0/22,104.153.96.0/21,104.153.112.0/21,104.153.244.0/22,104.160.224.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2619;)
alert ip [104.245.248.0/21,104.255.56.0/21,108.166.224.0/19,110.172.64.0/18,114.118.0.0/17,115.166.136.0/22,116.78.0.0/15,116.119.0.0/17,116.128.0.0/10,116.144.0.0/15,116.146.0.0/15,116.197.156.0/22,116.206.16.0/22,117.58.0.0/17,117.120.64.0/18,119.42.52.0/22,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2619;)
alert ip [124.70.0.0/15,124.157.0.0/18,124.242.0.0/16,125.31.192.0/18,125.58.0.0/18,125.169.0.0/16,128.13.0.0/16,128.85.0.0/16,128.94.0.0/16,128.168.0.0/16,128.188.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.72.208.0/22,131.108.16.0/22,131.108.232.0/22,131.200.0.0/16,134.18.0.0/16,134.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2619;)
alert ip [134.209.0.0/16,136.230.0.0/16,137.19.0.0/16,137.33.0.0/16,137.55.0.0/16,137.76.0.0/16,137.105.0.0/16,137.171.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.36.148.0/22,138.43.0.0/16,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.120.0/22,138.94.144.0/22,138.94.216.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2619;)
alert ip [138.216.0.0/16,138.228.0.0/16,138.249.0.0/16,139.45.0.0/16,139.136.0.0/16,139.188.0.0/16,140.143.128.0/17,140.167.0.0/16,141.94.0.0/15,141.101.132.0/24,141.101.201.0/24,141.136.22.0/24,141.136.27.0/24,141.178.0.0/16,141.253.0.0/16,142.4.160.0/19,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.64.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2619;)
alert ip [147.7.0.0/16,147.16.0.0/14,147.119.0.0/16,148.111.0.0/16,148.148.0.0/16,148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.109.0.0/16,149.114.0.0/16,149.118.0.0/16,149.143.64.0/18,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.107.106.0/23,150.107.220.0/22,150.121.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2619;)
alert ip [150.242.36.0/22,150.242.100.0/22,150.242.120.0/22,150.242.144.0/22,151.123.0.0/16,151.192.0.0/16,151.212.0.0/16,151.237.176.0/20,151.237.184.0/22,152.109.0.0/16,152.136.0.0/16,152.147.0.0/16,153.14.0.0/16,153.52.0.0/14,153.93.0.0/16,155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.73.0.0/16,155.108.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2619;)
alert ip [157.195.0.0/16,157.231.0.0/16,157.232.0.0/16,158.54.0.0/16,158.90.0.0/17,158.249.0.0/16,159.65.0.0/16,159.80.0.0/16,159.85.0.0/16,159.111.0.0/16,159.151.0.0/16,159.174.0.0/16,159.219.0.0/16,159.223.0.0/16,159.229.0.0/16,160.14.0.0/16,160.21.0.0/16,160.117.0.0/16,160.180.0.0/16,160.181.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2619;)
alert ip [161.0.68.0/22,161.66.0.0/16,161.70.0.0/16,161.71.0.0/16,161.189.0.0/16,161.232.0.0/16,162.208.124.0/22,162.212.188.0/22,162.213.128.0/22,162.213.232.0/22,162.219.32.0/21,162.222.148.0/22,162.245.124.0/22,162.254.72.0/21,163.47.19.0/24,163.50.0.0/16,163.53.247.0/24,163.59.0.0/16,163.250.0.0/16,163.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2619;)
alert ip [165.192.0.0/16,165.205.0.0/16,165.209.0.0/16,166.117.0.0/16,167.74.0.0/18,167.87.0.0/16,167.97.0.0/16,167.103.0.0/16,167.158.0.0/16,167.162.0.0/16,167.175.0.0/16,167.224.0.0/19,168.64.0.0/16,168.90.108.0/22,168.129.0.0/16,168.181.52.0/22,170.67.0.0/16,170.113.0.0/16,170.114.0.0/16,170.120.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2619;)
alert ip [172.96.16.0/22,172.103.40.0/21,172.103.64.0/18,173.228.160.0/19,173.246.160.0/19,175.103.64.0/18,176.61.136.0/22,176.61.136.0/21,176.65.128.0/19,176.97.116.0/22,177.36.16.0/20,177.74.160.0/20,177.91.0.0/22,177.234.136.0/21,178.16.80.0/20,178.216.48.0/21,179.42.64.0/19,180.178.192.0/18,180.236.0.0/14,181.118.32.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2619;)
alert ip [185.35.136.0/22,185.46.84.0/22,185.50.250.0/24,185.50.251.0/24,185.64.20.0/22,185.68.156.0/22,185.72.68.0/22,185.93.185.0/24,185.93.187.0/24,185.103.72.0/22,185.106.94.0/24,185.127.24.0/22,185.129.148.0/23,185.132.4.0/22,185.133.20.0/22,185.134.20.0/22,185.135.184.0/22,185.137.219.0/24,185.141.188.0/22,185.146.20.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2619;)
alert ip [185.149.112.0/22,185.150.84.0/22,185.151.48.0/22,185.151.60.0/22,185.152.36.0/22,185.152.248.0/22,185.154.20.0/22,185.155.52.0/22,185.156.88.0/21,185.156.92.0/22,185.159.36.0/22,185.159.37.0/24,185.159.68.0/22,185.166.216.0/22,185.167.116.0/22,185.171.120.0/22,185.173.44.0/22,185.175.140.0/22,185.180.124.0/22,185.184.192.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2619;)
alert ip [185.198.212.0/22,185.202.88.0/22,185.204.236.0/22,185.205.68.0/22,185.208.128.0/22,186.1.128.0/19,186.65.112.0/20,186.96.96.0/19,188.72.96.0/24,188.72.126.0/24,188.72.127.0/24,188.172.160.0/19,188.239.128.0/18,188.247.135.0/24,188.247.230.0/24,189.213.128.0/17,190.2.208.0/21,190.9.48.0/21,190.99.80.0/21,190.123.208.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2619;)
alert ip [192.40.29.0/24,192.43.153.0/24,192.43.154.0/23,192.43.156.0/22,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.46.192.0/18,192.54.110.0/24,192.67.16.0/24,192.67.160.0/22,192.86.85.0/24,192.88.74.0/24,192.100.142.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2619;)
alert ip [192.158.51.0/24,192.160.44.0/24,192.190.49.0/24,192.190.97.0/24,192.195.150.0/24,192.197.87.0/24,192.203.252.0/24,192.206.114.0/24,192.206.183.0/24,192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.225.96.0/20,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,193.9.158.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2619;)
alert ip [193.177.64.0/18,193.243.0.0/17,194.1.152.0/24,194.29.185.0/24,195.182.57.0/24,195.190.13.0/24,195.191.56.0/23,195.191.102.0/23,195.225.176.0/22,196.1.109.0/24,196.42.128.0/17,196.61.240.0/20,196.63.0.0/16,196.164.0.0/15,196.193.0.0/16,196.196.0.0/16,196.197.0.0/16,196.198.0.0/16,196.199.0.0/16,196.240.0.0/15] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2619;)
alert ip [198.13.0.0/20,198.14.128.0/19,198.14.160.0/19,198.20.16.0/20,198.44.192.0/20,198.45.32.0/20,198.45.64.0/19,198.56.64.0/18,198.57.64.0/20,198.62.70.0/24,198.62.76.0/24,198.96.224.0/20,198.99.117.0/24,198.102.222.0/24,198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2619;)
alert ip [198.179.22.0/24,198.181.64.0/19,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24,198.186.208.0/24,198.187.64.0/18,198.187.192.0/24,198.190.173.0/24,198.199.212.0/24,198.202.237.0/24,198.204.0.0/21,198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.10.64.0/24,199.26.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2619;)
alert ip [199.58.248.0/21,199.60.102.0/24,199.71.56.0/21,199.71.192.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19,199.87.208.0/21,199.88.32.0/20,199.88.48.0/22,199.89.16.0/20,199.89.198.0/24,199.120.163.0/24,199.165.32.0/19,199.166.200.0/22,199.184.82.0/24,199.185.192.0/20,199.196.192.0/19,199.198.160.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2619;)
alert ip [199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24,199.246.215.0/24,199.248.64.0/18,199.249.64.0/19,199.253.32.0/20,199.253.48.0/21,199.253.224.0/20,199.254.32.0/20,200.0.60.0/23,200.3.128.0/20,200.22.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2619;)
alert ip [202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24,202.39.112.0/20,202.40.32.0/19,202.40.64.0/18,202.68.0.0/18,202.86.0.0/22,202.148.32.0/20,202.148.176.0/20,202.183.0.0/19,202.189.80.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2619;)
alert ip [203.34.252.0/23,203.86.252.0/22,203.148.80.0/22,203.149.92.0/22,203.169.0.0/22,203.189.112.0/22,203.191.64.0/18,204.19.38.0/23,204.44.32.0/20,204.44.192.0/20,204.44.224.0/20,204.48.16.0/20,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24,204.75.228.0/24,204.80.198.0/24,204.86.16.0/20,204.87.199.0/24,204.89.224.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2619;)
alert ip [204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.187.155.0/24,204.187.156.0/22,204.187.160.0/19,204.187.192.0/19,204.187.224.0/20,204.187.240.0/21,204.187.248.0/22,204.187.252.0/23,204.187.254.0/24,204.194.64.0/21,204.194.184.0/21,204.225.16.0/20,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2619;)
alert ip [205.144.176.0/20,205.148.128.0/18,205.148.192.0/18,205.151.128.0/19,205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.176.0/22,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2619;)
alert ip [205.214.128.0/19,205.233.224.0/20,205.236.185.0/24,205.236.189.0/24,205.237.88.0/21,206.41.160.0/19,206.51.29.0/24,206.81.0.0/19,206.130.4.0/23,206.130.188.0/24,206.143.128.0/17,206.189.0.0/16,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.203.64.0/18,206.209.80.0/20,206.224.160.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2619;)
alert ip [207.32.208.0/20,207.45.224.0/20,207.110.64.0/18,207.110.96.0/19,207.110.128.0/18,207.177.128.0/18,207.178.64.0/19,207.183.192.0/19,207.226.192.0/20,207.234.0.0/17,208.93.4.0/22,208.117.88.0/22,208.117.92.0/24,209.51.32.0/20,209.54.160.0/19,209.66.128.0/19,209.95.192.0/19,209.97.128.0/18,209.99.128.0/18,209.145.0.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2619;)
alert ip [209.182.64.0/19,209.229.0.0/16,209.242.192.0/19,212.92.127.0/24,216.47.96.0/20,216.152.240.0/20,216.183.208.0/20,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15,223.169.0.0/16,223.173.0.0/16,223.201.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 33"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400032; rev:2619;)

35
code/chef/templates/mac_os_x/dshield.rules.erb Executable file
View file

@ -0,0 +1,35 @@
#
# $Id: emerging-dshield.rules $
# Emerging Threats Dshield rules.
#
# Rules to block Dshield identified Top Attackers (www.dshield.org)
#
# More information available at www.emergingthreats.net
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
alert ip [61.174.51.0/24,94.102.49.0/24,185.5.174.0/24,116.10.191.0/24,218.77.79.0/24,74.82.47.0/24,184.105.247.0/24,93.180.5.0/24,93.174.93.0/24,80.82.70.0/24,184.105.139.0/24,198.20.69.0/24,124.232.142.0/24,71.6.167.0/24,66.240.192.0/24,71.6.165.0/24,198.20.99.0/24,190.139.61.0/24,66.240.236.0/24,162.253.66.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feed.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:3403;)

198
code/chef/templates/mac_os_x/emerging-dns.rules.erb Executable file
View file

@ -0,0 +1,198 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:3; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:bad-unknown; sid:2011911; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:6; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a .tk domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|tk|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:2; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query to a Suspicious *.vv.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|vv|02|cc|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012826; rev:1; metadata:created_at 2011_05_19, updated_at 2011_05_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.ae.am domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ae|02|am"; fast_pattern; classtype:bad-unknown; sid:2012900; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern; classtype:bad-unknown; sid:2012903; rev:3; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.co.tv domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|tv"; fast_pattern; classtype:bad-unknown; sid:2012956; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ianxz6zefk72ulzz|05|onion"; classtype:policy-violation; sid:2013016; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.be Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|be"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013124; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.cu.cc domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cu|02|cc"; fast_pattern; classtype:bad-unknown; sid:2013172; rev:2; metadata:created_at 2011_07_02, updated_at 2011_07_02;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .eu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|eu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013848; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .int.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|int|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013849; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .edu.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|edu|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013850; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .us.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|us|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013851; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ca.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ca|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013852; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .bg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|bg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013853; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ru.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013854; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .pl.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pl|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013855; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .cz.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013856; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .de.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|de|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013857; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .at.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|at|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013858; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .ch.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013859; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .sg.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|sg|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013860; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .nl.ai Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|nl|02|ai"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013861; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1; metadata:created_at 2011_11_07, updated_at 2011_11_07;)
alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1; metadata:created_at 2011_11_28, updated_at 2011_11_28;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|su|00|"; fast_pattern; distance:0; nocase; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:1; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4; metadata:created_at 2012_02_27, updated_at 2012_02_27;)
alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious *.upas.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|upas|02|su|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_14, updated_at 2013_02_14;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:3; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:2; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:1; metadata:created_at 2013_03_13, updated_at 2013_03_13;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_18, updated_at 2013_03_18;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; fast_pattern; nocase; distance:0; content:!"|01|u|02|pw|00|"; nocase; classtype:bad-unknown; sid:2016778; rev:4; metadata:created_at 2013_04_19, updated_at 2013_04_19;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|tun|10|vpnoverdns|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:2; metadata:created_at 2014_05_01, updated_at 2014_05_01;)
alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_03, updated_at 2014_06_03;)
alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query to a *.top domain - Likely Hostile"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|top|00|"; fast_pattern; nocase; distance:0; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;)

254
code/chef/templates/mac_os_x/emerging-dos.rules.erb Executable file
View file

@ -0,0 +1,254 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url, securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; distance:0; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; distance:0; within:20; content:"=="; distance:0; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; content:"User-agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| ru|3b| rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:3; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; content:"User-agent|3a| Opera/9.02 (Windows NT 5.1|3b| U|3b| ru)"; http_header; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:4; metadata:created_at 2010_10_18, updated_at 2010_10_18;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:5; metadata:created_at 2012_01_23, updated_at 2012_01_23;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; fast_pattern:only; threshold: type both, track by_src, count 225, seconds 60; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:5; metadata:created_at 2012_01_27, updated_at 2012_01_27;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_11, updated_at 2012_12_11;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_06, updated_at 2013_02_06;)
#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_16, updated_at 2013_07_16;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:24,9; http_user_agent; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_02, updated_at 2014_01_02;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; content:"/?"; fast_pattern; http_uri; depth:2; content:"="; http_uri; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/U"; content:"Keep|2d|Alive|3a|"; http_header; content:"Connection|3a| keep|2d|alive"; http_header; content:"Cache|2d|Control|3a|"; http_header; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/Hm"; content:"Accept|2d|Encoding|3a|"; http_header; threshold: type both, track by_src, count 100, seconds 300; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:2; metadata:created_at 2014_03_04, updated_at 2014_03_04;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; content:"/xmlrpc.php"; http_uri; nocase; content:"pingback.ping"; nocase; http_client_body; fast_pattern; threshold:type both, track by_src, count 5, seconds 90; classtype:attempted-dos; sid:2018277; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2014_03_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_25, updated_at 2014_08_25;)
alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; content:"User-Agent|3a| Bittorrent"; http_header; threshold: type both, count 1, seconds 60, track by_src; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)
alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; content:"x00_-gawa.sa.pilipinas.2015"; http_user_agent; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:2; metadata:created_at 2016_04_26, updated_at 2016_04_26;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, deployment Datacenter, created_at 2016_08_12, performance_impact Low, updated_at 2016_08_12;)
alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, deployment Datacenter, signature_severity Major, created_at 2016_11_11, performance_impact Low, updated_at 2017_01_12;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test: 3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:2; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_03;)
alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, deployment Datacenter, signature_severity Major, created_at 2017_02_03, updated_at 2017_02_07;)
#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_02;)
alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; metadata: former_category DOS; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Internal, signature_severity Major, created_at 2017_08_02, performance_impact Significant, updated_at 2017_08_03;)
alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)
alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; metadata: former_category DOS; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_08_16, performance_impact Significant, updated_at 2017_08_16;)

1200
code/chef/templates/mac_os_x/emerging-exploit.rules.erb Executable file
View file

File diff suppressed because it is too large Load diff

409
code/chef/templates/mac_os_x/emerging-shellcode.rules.erb Executable file
View file

@ -0,0 +1,409 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata: former_category SHELLCODE; classtype:shellcode-detect; sid:2101390; rev:6; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; metadata: former_category SHELLCODE; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9; metadata:created_at 2010_09_23, updated_at 2017_09_08;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_12, updated_at 2010_10_12;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_16;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, updated_at 2017_09_08;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2; metadata:created_at 2011_07_14, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;)
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; metadata: former_category SHELLCODE; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_03, updated_at 2017_09_08;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_15, performance_impact Low, updated_at 2017_03_15;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern:only; metadata: former_category SHELLCODE; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Critical, created_at 2017_03_16, performance_impact Low, updated_at 2017_03_16;)

447
code/chef/templates/mac_os_x/mobilemalware.rules.erb Executable file
View file

@ -0,0 +1,447 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3-enhanced.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; http_uri; nocase; content:"sim="; http_uri; nocase; content:"tel="; http_uri; nocase; content:"imsi="; http_uri; content:"pid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; http_uri; nocase; content:"id="; http_uri; nocase; content:"softid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"area="; http_uri; nocase; content:"insttime="; http_uri; nocase; content:"first="; http_uri; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; distance:0; http_client_body; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0E|gongfu-android|03|com"; distance:0; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013023; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_13, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMEI>"; http_client_body; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; http_client_body; distance:0; content:!".blackberry.com|0d 0a|"; http_header; content:!".nokia.com|0d 0a|"; http_header; content:!".sonyericsson.com|0d 0a|"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:8; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:"<IMSI>"; http_client_body; nocase; content:"<|2F|IMSI"; nocase; distance:0; http_client_body; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; content:"/flash/test.xml"; http_uri; fast_pattern:only; flowbits:set,ET.And.CruseWin; flowbits:noalert; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013193; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:trojan-activity; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Mobile Device Posting Phone Number"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&Phone"; fast_pattern; nocase; http_uri; content:"Number="; nocase; http_uri; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/Ui"; metadata: former_category MOBILE_MALWARE; classtype:trojan-activity; sid:2013208; rev:3; metadata:created_at 2011_07_06, updated_at 2017_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; content:"/wat.php"; nocase; http_uri; content:"incorporateapps.com"; nocase; http_header; pcre:"/Host\x3A[^\r\n]*incorporateapps\x2Ecom/Hi"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:trojan-activity; sid:2013209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST"; http_method; uricontent:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"|0d 0a 0d 0a|f0="; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/netsend/nmsm_json.jsp"; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_09_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_user_agent; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;)
alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; http_uri; content:"&type="; http_uri; content:"&step="; http_uri; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_01_15, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"Dalvik/"; http_user_agent; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, updated_at 2013_02_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_03_01, updated_at 2016_07_01;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_09_16, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/getTask.php?"; fast_pattern:only; nocase; http_uri; content:"imei="; http_uri; content:"balance="; http_uri; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2017_03_29;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"co"; http_uri; content:"untry="; http_uri; content:"phone="; http_uri; content:"&op="; http_uri; content:"imei="; fast_pattern:only; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_10_13, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"_no="; http_client_body; depth:16; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2017_04_27;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST "; urilen:15; content:"/getLastVersion"; depth:15; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/register"; depth:9; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/login"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:7; content:"/report"; depth:7; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/getTask"; depth:8; http_uri; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Hm"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/reportMessage"; depth:14; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/H"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_01_22, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; content:"/iconfig.txt"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible)|0D 0A|"; http_header; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; content:"POST"; http_method; content:"androidbugreport.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&token="; depth:7; http_client_body; content:"&target="; depth:8; http_client_body; content:"&rd="; depth:4; http_client_body; content:"&fo="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"filter.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; content:"POST"; http_method; content:"history.php"; http_uri; content:!"User-Agent|3a| "; nocase; http_header; content:"id="; depth:3; http_client_body; content:"&ds="; depth:4; http_client_body; content:"&sg="; depth:4; http_client_body; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_02_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern:only; content:"Dalvik"; depth:6; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:3; metadata:created_at 2014_03_24, updated_at 2014_03_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/URi"; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern:only; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3; metadata:created_at 2014_06_19, updated_at 2014_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)
alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/webviewAdReq"; nocase; depth:13; http_uri; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2016_07_01;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_30, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern:only; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_user_agent; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; content:"/dmp/api/"; http_uri; fast_pattern:only; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"dmp."; http_header; pcre:"/\/dmp\/api\/[a-z]+$/U"; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/Hmi"; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019958; rev:4; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"UAC/"; depth:4; http_user_agent; content:"|28|Android|20|"; distance:0; http_user_agent; content:"name=|22|softwareVersion|22|"; nocase; http_client_body; content:"name=|22|isEnc|22|"; nocase; distance:0; http_client_body; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019959; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; content:"UAC/"; depth:4; http_user_agent; fast_pattern; content:"|28|Android|20|"; distance:0; http_user_agent; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; pcre:"/\/contacts$/U"; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; content:"XAgent/1."; depth:9; http_user_agent; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; content:"XAgent/1."; http_user_agent; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:3; metadata:created_at 2015_02_04, updated_at 2015_02_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"Apache-HttpClient"; depth:18; http_user_agent; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; content:"/pha?android_version="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&phone_number="; http_uri; content:"&client_version="; http_uri; content:"&imei="; http_uri; content:"&name="; http_uri; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_01, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"User-Agent|3a 20|"; http_header; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http_client_body; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern:only; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"uuid="; http_client_body; content:"language="; http_client_body; content:"appkey"; http_client_body; content:"model="; http_client_body; content:"operatorsname="; fast_pattern:only; http_client_body; content:"networkname="; http_client_body; content:"networktype="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern:only; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/gac/"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:"|0d 0a|Connection|3a| Keep-Alive|0d 0a|Accept-Encoding|3a| gzip|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/gac\/[a-f0-9]{15}$/U"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_08_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; content:"/data.php?table="; fast_pattern:only; http_uri; content:"&game="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&game=[a-f0-9]{40}$/U"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cert.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"id="; depth:3; http_client_body; content:"&cert="; http_client_body; content:"&priv="; fast_pattern:only; http_client_body; content:"&flag="; http_client_body; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; content:"GET"; http_method; content:".plist"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/\.plist$/U"; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; content:"GET"; http_method; content:"/itms-services|3a|"; http_uri; content:"bb800.com|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/Hm"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:3; metadata:created_at 2015_10_05, updated_at 2015_10_05;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|aps|06|kemoge|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:25; content:"/getInstalledPackages.jsp"; http_uri; fast_pattern:only; content:"sdCardFree="; http_client_body; depth:11; content:"&imei="; http_client_body; distance:0; content:"&hasSd="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/v1.jsp?e="; http_uri; fast_pattern; depth:10; content:"&s="; http_uri; distance:0; content:"&g="; http_uri; distance:0; content:"&versionCode="; http_uri; distance:0; content:"&osVersion="; http_uri; distance:0; content:"&countryCode="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_10_07, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; content:"Host|3a| download.cloudsota.com"; http_header; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_12, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:"{|22|type|22 3a|"; depth:8; http_client_body; content:",|22|text|22 3a|"; http_client_body; content:",|22|code|22 3a|"; fast_pattern:only; http_client_body; content:",|22|from|22 3a|"; http_client_body; content:"|22|}"; http_client_body; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; content:"Host|3a 20|jackdojacksgot.ru"; http_header; nocase; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:",|22|model|22 3a|"; http_client_body; content:",|22|apps|22 3a 5b 22|"; http_client_body; content:",|22|imei|22 3a|"; fast_pattern:only; http_client_body; pcre:"/^\{\x22(?:os|type)\x22\x3a/P"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"/"; http_uri; depth:1; content:"User-Agent|3A| Apache-HttpClient/UNAVAILABLE"; http_header; content:"{|22|data|22 3A|"; http_client_body; depth:8; content:"|22|password old|22 3A|"; fast_pattern; http_client_body; distance:0; content:"|22|login|22 3A|"; http_client_body; content:"|22|type|22 3A|"; http_client_body; distance:0; content:"|22|login old|22 3A|"; http_client_body; distance:0; content:"|22|password|22 3A|"; http_client_body; distance:0; content:"|22|name|22 3A|"; http_client_body; distance:0; content:"|22|code|22 3A|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pc35hiptpcwqezgs"; nocase; distance:0; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuwurw46taaep6ip"; nocase; distance:0; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|voooxrrw2wxnoyew"; nocase; distance:0; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmdxiawceahpbhmb|03|com"; nocase; distance:0; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2016_07_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; content:"/i_info_proxy.php?cmd="; fast_pattern:only; http_uri; content:"&data="; http_uri; content:"|3b 20|iPhone|20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/I"; metadata: former_category MOBILE_MALWARE; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:2; metadata:affected_product iOS, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, performance_impact Low, updated_at 2017_03_08;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|info2t|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_10_24, malware_family AndroRAT, performance_impact Low, updated_at 2016_10_24;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; content:!"User-Agent|3a 20|"; http_header; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, deployment Perimeter, created_at 2016_11_11, updated_at 2016_11_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_18, updated_at 2016_11_18;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"lm="; http_uri; content:"/search/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)
alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|rockybalboa|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|storegoogle|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern:only; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern:only; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|androidbak|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|droidback|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|endpointup|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|siteanalysto|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|goodydaddy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, updated_at 2017_02_16;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/stat/locker|20|HTTP/1."; fast_pattern:only; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"type="; http_client_body; depth:5; content:"&version="; http_client_body; content:"&lid="; http_client_body; content:"&c="; http_client_body; content:"&i="; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:trojan-activity; sid:2024123; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_03_31, updated_at 2017_03_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/support.aspx|20|HTTP/1."; content:"SessionId1|3a 20|"; http_header; content:"SessionId2|3a 20|"; fast_pattern:only; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024171; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/adinfo?gi="; fast_pattern:only; http_uri; content:"&bf="; http_uri; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/Hm"; metadata: former_category MOBILE_MALWARE; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:trojan-activity; sid:2024172; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2017_04_04, updated_at 2017_04_04;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2017_06_26;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|updatmaster|03|top|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_02, updated_at 2017_08_02;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|axclick|05|store|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2017_08_28;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b1k51|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|b1j3aas|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|wechaatt|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|10as05|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ch0ck4|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fatur1s|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|b5k31|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|erd0|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1v2a5|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|b1502b|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|elsssee|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|kvp41|04|life|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|servertestapi|03|ltd|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|taxii|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|p0w3r|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)
alert udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4r3a|03|gdn|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_20, malware_family Android_BankBot, updated_at 2017_09_20;)

18
code/chef/templates/mac_os_x/nmap.rules.erb Executable file
View file

@ -0,0 +1,18 @@
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8;)
alert ip any any -> any any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009582; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009583; rev:2;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2009584; rev:1;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sS"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:7;)
alert tcp any any -> any any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7;)
alert http any any -> any $HTTP_PORTS (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:3;)
alert http any any -> any any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:4;)
alert icmp any any -> any any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4;)
alert tcp any any -> any any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)
alert tcp any any -> any any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7;)
alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2;)

12
code/chef/templates/mac_os_x/osxmalware.rules.erb Executable file
View file

@ -0,0 +1,12 @@
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; content:"/stat_d/"; http_uri; pcre:"/\/stat_d\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145229; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; content:"/stat_u/"; http_uri; pcre:"/\/stat_u\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145239; rev:3;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; content:"/stat_n/"; http_uri; pcre:"/\/stat_n\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145249; rev:4;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K first execution checkin"; flow:established,to_server; content:"/stat_svc/"; http_uri; pcre:"/\/stat_svc\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:20145259; rev:4;)
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Flashback.K/I User-Agent"; flow:established,to_server; content:" WOW64|3b| rv|3a|9.0.1|3b| sv|3a|"; http_header; content:" id|3a|"; http_header; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:20145349; rev:4;)

772
code/chef/templates/mac_os_x/shellcode.rules.erb Executable file
View file

@ -0,0 +1,772 @@
# Emerging Threats
#
# This distribution may contain rules under two different licenses.
#
# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License
# as follows:
#
#*************************************************************
# Copyright (c) 2003-2014, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
#
#
#
# This Ruleset is EmergingThreats Open optimized for suricata-1.3.
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3;)
#by Jaime Blasco
#
alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2;)
#by Jaime Blasco
#
alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2;)
#by Jaime Blasco
#
#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3;)
#by Jaime Blasco
#
#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7;)
#by Anonymous Researchers(tm)
#Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions
#high load. use these if you need them!
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8;)
#by Alejandro Gramajo
##############################################################################
#x86 Pex Variable Length Fnstenv/mov/sub Double Word Xor Encoder
#D9 EE fldz
#D9 74 24 F4 fnstenv [esp - 12]
#5B pop ebx
#81 73 13 xorkey xor_xor: xor DWORD [ebx + 22], xorkey
#83 EB FC sub ebx,-4
#E2 F4 loop xor_xor
#Real traffic dump
#Content1
#98 49 F8 27 91 2F 27 48 4F 4E 6A 12 59 <D9 EE D9 .I.'./'HONj.Y...
#74 24 F4 5B 81 73 13> 2E D6 9A FE <83 EB FC E2 F4> t$.[.s..........
#Xorkey Content2
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5;)
##############################################################################
#x86 Skylined\'s Alpha2 Alphanumeric Encoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5;)
##############################################################################
#x86 Call $+4 countdown xor encoder
#E8 FF FF FF call $+4
#FF C1 inc ecx
#5E pop esi
#30 4C 0E 07 xor_xor: xor [esi + ecx + 0x07], cl
#E2 FA loop xor_xor
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5;)
##############################################################################
#x86 Pex Alphanumeric Encoder
#VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 win32getpc
#?? JJJJJ ?? baseaddr
#VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM decoder
#
#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5;)
##############################################################################
#x86 Pex Call $+4 Double Word Xor Encoder
#E8 FF FF FF call $+4
#FF C0 inc eax
#5E pop esi
#81 76 0E xorkey xor_xor: xor [esi + 0x0e], xorkey
#83 EE FC sub esi, -4
#E2 F4 loop xor_xor
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5;)
##############################################################################
#x86 IA32 Jmp/Call XOR Additive Feedback Decoder
#FC cld
#BB key mov ebx, key
#EB 0C jmp short 0x14
#5E pop esi
#56 push esi
#31 1E xor [esi], ebx
#AD lodsd
#01 C3 add ebx, eax
#85 C0 test eax, eax
#75 F7 jnz 0xa
#C3 ret
#E8 EF FF FF FF call 0x8
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5;)
#Metasploit BSD shellcode detect rules by h0f - Jennylab
#Alberto Garcia de Dios
#albertogdedios@andaluciajunta.es
#http://www.jennylab.org
#####
#METASPLOIT SHELLCODE RULES
#####
#BSD METASPLOIT RULES
#### BSD BIND SHELL #######
#BSD Bind Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3;)
#BSD Bind Shell - ENCODE: CountDown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3;)
#BSD Bind Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3;)
#BSD Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3;)
#BSD Bind Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3;)
#BSD Bind Shell - ENCODE: PexFstEnvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3;)
#BSD Bind Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3;)
#BSD Bind Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3;)
#### EOF BSD BIND SHELL ######
### BSD REVERSE SHELL #######
#BSD Reverse Shell - ENCODE: PexFnstenvSub
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3;)
#BSD Reverse Shell - ENCODE: Countdown
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3;)
#BSD Reverse Shell - ENCODE: Pex
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3;)
#BSD Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3;)
#BSD Reverse Shell - ENCODE: PexAlphaNum
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3;)
#BSD Reverse Shell - ENCODE: PexFnstenvMov
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3;)
#BSD Reverse Shell - ENCODE: JmpCallAditive
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2;)
#BSD Reverse Shell - ENCODE: Alpha2
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2;)
##### EOF BSD Reverse Shell#####
##### BSD SPARC Bind Shell #########
#BSD SPARC Bind Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2;)
#BSD SPARC Bind Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2;)
#### EOF BSD SPARC Bind Shell #########4
### BSD SPARC Reverse Shell ########
#BSD SPARC Reverse Shell - ENCODE: None
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2;)
#BSD SPARC Reverse Shell - ENCODE: SPARC
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:3;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:6;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9;)
#
#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:7;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012087; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; content:"|E8 00 00 00 00 8F|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012089; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012090; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012091; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012092; rev:2;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012093; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:4;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:4;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012252; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:3;)
#
#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:3;)
#
alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:3;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern:only; classtype:shellcode-detect; sid:2013145; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013146; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern:only; classtype:shellcode-detect; sid:2013147; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2;)
#
#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2;)
#
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4;)

90
code/chef/templates/mac_os_x/suricata.init.erb Executable file
View file

@ -0,0 +1,90 @@
#!/bin/bash
#
# Init file for suricata
#
#
# chkconfig: 345 52 48
# description: Network Intrusion Detection System
#
# processname: Suricata
# pidfile: /var/run/suricata.pid
source /etc/rc.d/init.d/functions
### Read configuration
[ -r "$SYSCONFIG" ] && source "$SYSCONFIG"
RETVAL=0
prog="suricata"
desc="Suricata IDS"
start() {
# Make sure the interfaces are up, or suricata won't start.
for interface in <% @interface.each do |int| -%><%= int %> <% end -%>
do
/sbin/ifconfig $interface up
done
echo -n $"Starting $desc ($prog): "
daemon "suricata -D -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%> >> /var/log/suricata/suricata.log"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Shutting down $desc ($prog): "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
}
restart() {
stop
start
}
reload() {
echo "Checking config before restarting"
suricata -T -c /etc/suricata/suricata.yaml >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
kill -USR2 $(cat /var/run/suricata.pid)
else
echo "Config broken, not reloading"
fi
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
RETVAL=$?
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

12
code/chef/templates/mac_os_x/suricata.service.erb Executable file
View file

@ -0,0 +1,12 @@
[Unit]
Description=Open Source Next Generation Intrusion Detection and Prevention Engine
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml <% @interface.each do |int| -%> -i <%= int %> <% end -%>
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID
[Install]
WantedBy=multi-user.target

313
code/chef/templates/mac_os_x/suricata.yaml.erb Executable file
View file

@ -0,0 +1,313 @@
%YAML 1.1
---
default-log-dir: /var/log/suricata/
unix-command:
enabled: no
run-as:
user: suricata
group: suricata
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- unified2-alert:
enabled: no
filename: unified2.alert
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
certs-log-dir: certs # directory to store the certificates files
- pcap-info:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
mode: normal # normal or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- alert-prelude:
enabled: no
profile: suricata
log-packet-content: no
log-packet-header: yes
- stats:
enabled: no
filename: stats.log
interval: 8
- syslog:
enabled: no
facility: local5
- drop:
enabled: no
filename: drop.log
append: yes
- file-store:
enabled: no # set to yes to enable
log-dir: files # directory to store the files
force-magic: no # force logging magic on all stored files
force-md5: no # force logging of md5 checksums
- file-log:
enabled: no
filename: files-json.log
append: yes
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
magic-file: /usr/share/file/magic
nfq:
af-packet:
threshold-file: /etc/suricata/threshold.config
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these cpus in affinity settings
- decode-cpu-set:
cpu: [ 0, 1 ]
mode: "balanced"
- stream-cpu-set:
cpu: [ "0-1" ]
- detect-cpu-set:
cpu: [ "all" ]
mode: "exclusive" # run detect threads in these cpus
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
- verdict-cpu-set:
cpu: [ 0 ]
prio:
default: "high"
- reject-cpu-set:
cpu: [ 0 ]
prio:
default: "low"
- output-cpu-set:
cpu: [ "all" ]
prio:
default: "medium"
detect-thread-ratio: 1.5
cuda:
- mpm:
packet-buffer-limit: 2400
packet-size-limit: 1500
packet-buffers: 10
batching-timeout: 1
page-locked: enabled
device-id: 0
cuda-streams: 2
mpm-algo: ac
pattern-matcher:
- b2gc:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2gm:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b2g:
search-algo: B2gSearchBNDMq
hash-size: low
bf-size: medium
- b3g:
search-algo: B3gSearchBNDMq
hash-size: low
bf-size: medium
- wumanber:
hash-size: low
bf-size: medium
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 32mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
flow-timeouts:
default:
new: 30
established: 300
closed: 0
emergency-new: 10
emergency-established: 100
emergency-closed: 0
tcp:
new: 60
established: 3600
closed: 120
emergency-new: 10
emergency-established: 300
emergency-closed: 20
udp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
icmp:
new: 30
established: 300
emergency-new: 10
emergency-established: 100
stream:
memcap: 32mb
checksum-validation: yes # reject wrong csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 64mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
host:
hash-size: 4096
prealloc: 1000
memcap: 16777216
logging:
default-log-level: info
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: no
filename: /var/log/suricata.log
- syslog:
enabled: no
facility: local5
pfring:
- interface: <%= @pcapinterface %>
threads: 1
cluster-id: 99
cluster-type: cluster_flow
- interface: default
pcap:
- interface: <%= @pcapinterface %>
- interface: default
ipfw:
default-rule-path: /etc/suricata/rules/
rule-files:
- local.rules
- tor.rules
- emerging-shellcode.rules
- dshield.rules
- compromised.rules
- dshield.rules
- mobilemalware.rules
- nmap.rules
- shellcode.rules
- osxmalware.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
vars:
address-groups:
HOME_NET: "[10.0.0.0/8,172.16.0.0/12]"
port-groups:
HTTP_PORTS: "80"
action-order:
- pass
- drop
- reject
- alert
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
asn1-max-frames: 256
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
libhtp:
default-config:
personality: IDS
request-body-limit: 3072
response-body-limit: 3072
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 32kb
response-body-inspect-window: 4kb
double-decode-path: no
double-decode-query: no
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
request-body-limit: 4096
response-body-limit: 4096
double-decode-path: no
double-decode-query: no
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
sort: avgticks
limit: 100
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
coredump:
max-dump: unlimited
napatech:
hba: -1
use-all-streams: yes
streams: [1, 2, 3]

775
code/chef/templates/mac_os_x/tor.rules.erb Executable file
View file

@ -0,0 +1,775 @@
#
# Emerging Threats Tor rules.
#
# These will tell you if someone using Tor for source anonymization is communicating with your network.
#
# Tor in itself isn't inherently hostile. In many environments that may be a very suspicious way
# to communicate.
#
# More information available at doc.emergingthreats.net/bin/view/Main/TorRules
#
# Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
# Copyright (c) 2003-2017, Emerging Threats
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# VERSION 3093
# Updated 2017-09-22 00:30:01
alert ip [103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84,103.8.79.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520000; rev:3093;)
alert ip [104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98,104.223.123.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520002; rev:3093;)
alert ip [104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100,109.69.67.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520004; rev:3093;)
alert ip [1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225,130.204.161.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520006; rev:3093;)
alert ip [131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77,138.197.85.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520008; rev:3093;)
alert ip [138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208,141.170.2.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520010; rev:3093;)
alert ip [141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34,144.217.60.211] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520012; rev:3093;)
alert ip [144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122,148.251.43.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520014; rev:3093;)
alert ip [149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35,154.16.149.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520016; rev:3093;)
alert ip [155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243,162.220.246.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520018; rev:3093;)
alert ip [162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217,162.247.72.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520020; rev:3093;)
alert ip [162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250,163.172.151.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520022; rev:3093;)
alert ip [163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200,163.172.223.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520024; rev:3093;)
alert ip [163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195,167.160.84.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520026; rev:3093;)
alert ip [169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28,172.104.180.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520028; rev:3093;)
alert ip [172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69,173.255.226.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520030; rev:3093;)
alert ip [173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202,176.10.99.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520032; rev:3093;)
alert ip [176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11,176.214.189.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520034; rev:3093;)
alert ip [176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156,178.17.170.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520036; rev:3093;)
alert ip [178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14,178.17.174.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520038; rev:3093;)
alert ip [178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96,178.32.181.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520040; rev:3093;)
alert ip [178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24,185.100.84.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520042; rev:3093;)
alert ip [185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141,185.100.86.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520044; rev:3093;)
alert ip [185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139,185.10.68.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520046; rev:3093;)
alert ip [185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60,185.112.157.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520048; rev:3093;)
alert ip [185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42,185.165.168.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520050; rev:3093;)
alert ip [185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207,185.61.149.193] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520052; rev:3093;)
alert ip [185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45,187.104.48.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520054; rev:3093;)
alert ip [187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164,192.160.102.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520056; rev:3093;)
alert ip [192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49,193.107.85.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520058; rev:3093;)
alert ip [193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41,193.70.89.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520060; rev:3093;)
alert ip [193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178,195.228.45.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520062; rev:3093;)
alert ip [195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129,198.50.200.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520064; rev:3093;)
alert ip [198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40,199.249.223.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520066; rev:3093;)
alert ip [199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69,199.249.223.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520068; rev:3093;)
alert ip [199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81,199.249.224.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520070; rev:3093;)
alert ip [199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49,199.68.196.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520072; rev:3093;)
alert ip [199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127,206.55.74.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520074; rev:3093;)
alert ip [207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213,212.21.66.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520076; rev:3093;)
alert ip [212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15,213.108.105.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520078; rev:3093;)
alert ip [213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13,216.239.90.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520080; rev:3093;)
alert ip [217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11,23.129.64.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520082; rev:3093;)
alert ip [23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23,23.92.28.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520084; rev:3093;)
alert ip [23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96,36.227.172.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520086; rev:3093;)
alert ip [37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202,37.220.36.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520088; rev:3093;)
alert ip [37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23,45.33.48.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520090; rev:3093;)
alert ip [45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49,46.101.164.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520092; rev:3093;)
alert ip [46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46,46.182.19.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520094; rev:3093;)
alert ip [46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238,46.45.137.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520096; rev:3093;)
alert ip [46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233,51.15.43.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520098; rev:3093;)
alert ip [51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11,51.15.57.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520100; rev:3093;)
alert ip [51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177,51.15.70.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520102; rev:3093;)
alert ip [51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149,5.196.1.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520104; rev:3093;)
alert ip [5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118,5.79.68.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520106; rev:3093;)
alert ip [59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47,62.149.13.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520108; rev:3093;)
alert ip [62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141,62.219.3.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520110; rev:3093;)
alert ip [62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140,65.129.144.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520112; rev:3093;)
alert ip [65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140,69.164.207.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520114; rev:3093;)
alert ip [71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204,77.109.139.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520116; rev:3093;)
alert ip [77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70,78.31.164.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520118; rev:3093;)
alert ip [78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207,80.67.172.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520120; rev:3093;)
alert ip [80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122,82.221.128.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520122; rev:3093;)
alert ip [82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135,84.19.181.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520124; rev:3093;)
alert ip [84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78,85.143.95.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520126; rev:3093;)
alert ip [85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12,87.118.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520128; rev:3093;)
alert ip [87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245,87.81.148.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520130; rev:3093;)
alert ip [87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13,89.187.150.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520132; rev:3093;)
alert ip [89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121,89.38.208.57] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520134; rev:3093;)
alert ip [89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121,91.233.106.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520136; rev:3093;)
alert ip [91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202,93.115.95.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520138; rev:3093;)
alert ip [93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148,93.64.207.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520140; rev:3093;)
alert ip [94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161,94.242.57.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520142; rev:3093;)
# Non-Exit Nodes
alert ip [103.10.197.50,103.234.220.197,103.236.201.110,103.236.201.57,103.27.124.82,103.29.70.23,103.35.74.75,103.35.74.77,103.3.61.114,103.56.207.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3093;)
alert ip [103.8.79.229,104.192.0.50,104.200.20.46,104.218.63.73,104.218.63.74,104.218.63.75,104.218.63.76,104.223.123.100,104.223.123.101,104.223.123.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522002; rev:3093;)
alert ip [104.223.123.99,104.236.141.156,104.237.203.98,104.244.74.78,106.187.37.101,107.181.174.84,107.189.49.130,109.126.9.228,109.169.33.163,109.201.133.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522004; rev:3093;)
alert ip [109.69.67.17,1.161.250.166,118.163.74.160,120.29.217.46,124.109.1.207,125.212.241.182,126.72.58.19,128.199.47.160,128.52.128.105,128.70.19.225] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522006; rev:3093;)
alert ip [130.204.161.3,131.111.179.83,133.218.187.161,137.74.167.96,137.74.169.241,137.74.73.179,13.79.231.167,138.197.207.243,138.197.216.132,138.197.4.77] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522008; rev:3093;)
alert ip [138.197.85.80,138.68.40.100,139.162.105.26,139.162.10.72,139.162.16.13,139.162.226.245,139.162.28.23,139.162.28.31,139.59.62.94,141.138.141.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522010; rev:3093;)
alert ip [141.170.2.53,141.255.189.161,14.202.230.49,142.4.211.161,142.44.156.140,142.44.166.241,143.106.60.70,144.217.161.119,144.217.167.240,144.217.240.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522012; rev:3093;)
alert ip [144.217.60.211,144.217.60.239,144.217.94.195,144.217.94.96,145.239.29.201,145.239.74.47,145.239.82.79,146.0.79.144,146.185.177.103,147.135.156.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522014; rev:3093;)
alert ip [148.251.43.239,149.202.185.34,149.202.238.204,149.56.106.210,149.56.201.79,149.56.223.240,151.80.238.152,151.80.38.67,154.127.60.92,154.16.149.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522016; rev:3093;)
alert ip [154.16.149.74,155.133.82.112,155.4.250.85,156.67.106.251,156.67.106.30,156.67.106.32,158.255.6.242,158.69.215.7,158.69.83.25,162.213.0.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522018; rev:3093;)
alert ip [162.220.246.230,162.221.201.57,162.243.166.137,162.247.72.199,162.247.72.200,162.247.72.201,162.247.72.202,162.247.72.213,162.247.72.216,162.247.72.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522020; rev:3093;)
alert ip [162.247.72.7,162.247.73.204,162.247.73.206,163.172.101.137,163.172.136.101,163.172.137.222,163.172.138.11,163.172.139.161,163.172.140.123,163.172.151.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522022; rev:3093;)
alert ip [163.172.151.47,163.172.160.182,163.172.162.106,163.172.163.85,163.172.170.212,163.172.171.163,163.172.179.129,163.172.212.115,163.172.217.50,163.172.223.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522024; rev:3093;)
alert ip [163.172.223.87,163.172.67.180,164.132.106.162,164.132.51.91,164.77.133.220,165.255.108.14,166.70.207.2,167.114.251.167,167.114.34.150,167.114.89.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522026; rev:3093;)
alert ip [167.160.84.183,169.239.183.210,170.250.140.52,171.25.193.20,171.25.193.235,171.25.193.25,171.25.193.77,171.25.193.78,172.104.146.56,172.104.148.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522028; rev:3093;)
alert ip [172.104.180.171,172.104.187.79,172.104.41.83,172.98.193.43,173.14.173.227,173.208.153.75,173.254.216.66,173.254.216.67,173.254.216.68,173.254.216.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522030; rev:3093;)
alert ip [173.255.226.142,173.255.229.8,173.255.231.125,173.255.253.173,176.10.104.240,176.10.104.243,176.10.107.180,176.10.99.200,176.10.99.201,176.10.99.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522032; rev:3093;)
alert ip [176.10.99.203,176.10.99.204,176.10.99.205,176.10.99.206,176.10.99.207,176.10.99.208,176.10.99.209,176.121.10.44,176.121.10.52,176.126.252.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522034; rev:3093;)
alert ip [176.214.189.247,176.31.180.157,176.31.45.3,176.36.117.185,176.38.163.77,176.58.100.98,178.156.202.125,178.17.170.13,178.17.170.135,178.17.170.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522036; rev:3093;)
alert ip [178.17.170.164,178.17.170.194,178.17.170.195,178.17.170.196,178.17.171.111,178.17.171.40,178.17.171.43,178.17.171.49,178.17.174.10,178.17.174.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522038; rev:3093;)
alert ip [178.17.174.198,178.17.174.32,178.175.131.194,178.18.83.215,178.202.169.177,178.20.55.16,178.20.55.18,178.209.42.84,178.238.237.44,178.32.181.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522040; rev:3093;)
alert ip [178.32.181.97,178.32.181.98,178.32.181.99,178.32.53.94,178.62.85.101,178.63.110.151,179.43.146.230,18.248.1.85,18.248.2.85,184.105.220.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522042; rev:3093;)
alert ip [185.100.84.108,185.100.84.82,185.100.85.101,185.100.85.112,185.100.85.147,185.100.85.190,185.100.85.192,185.100.85.61,185.100.86.128,185.100.86.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522044; rev:3093;)
alert ip [185.100.86.154,185.100.86.167,185.100.86.86,185.100.87.82,185.103.99.60,185.104.120.2,185.104.120.4,185.104.120.7,185.10.68.119,185.10.68.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522046; rev:3093;)
alert ip [185.10.68.191,185.107.81.233,185.107.81.234,185.11.167.4,185.11.167.55,185.11.167.56,185.11.167.57,185.11.167.58,185.11.167.59,185.11.167.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522048; rev:3093;)
alert ip [185.112.157.135,185.112.254.195,185.117.118.234,185.157.232.64,185.159.128.193,185.159.131.99,185.16.200.176,185.163.1.11,185.165.168.229,185.165.168.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522050; rev:3093;)
alert ip [185.165.168.77,185.170.42.18,185.175.208.179,185.175.208.180,185.189.14.230,185.189.14.61,185.34.33.2,185.38.14.171,185.38.14.215,185.61.138.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522052; rev:3093;)
alert ip [185.61.149.193,185.62.57.91,185.65.205.10,185.66.200.10,185.70.11.132,185.72.244.24,185.82.216.233,185.82.216.241,185.86.149.175,185.87.185.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522054; rev:3093;)
alert ip [187.104.48.3,187.20.55.95,188.165.62.9,188.209.52.238,188.226.212.13,18.85.22.204,189.84.21.44,190.10.8.50,191.96.249.110,192.160.102.164] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522056; rev:3093;)
alert ip [192.160.102.165,192.160.102.166,192.160.102.168,192.160.102.169,192.160.102.170,192.195.80.10,192.34.80.176,192.36.27.4,192.42.116.16,192.81.131.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522058; rev:3093;)
alert ip [193.107.85.56,193.107.85.57,193.107.85.62,193.110.157.151,193.15.16.4,193.164.131.95,193.171.202.146,193.201.225.45,193.233.60.154,193.70.39.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522060; rev:3093;)
alert ip [193.70.89.19,193.70.89.20,194.218.3.79,194.54.162.212,195.123.212.118,195.123.212.34,195.219.163.68,195.219.166.53,195.22.126.177,195.22.126.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522062; rev:3093;)
alert ip [195.228.45.176,195.254.135.76,196.41.123.180,197.231.221.211,198.167.223.38,198.167.223.50,198.211.103.26,198.211.122.191,198.50.159.204,198.50.200.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522064; rev:3093;)
alert ip [198.50.200.131,198.50.200.134,198.50.200.135,198.50.200.147,198.58.100.240,198.58.107.53,198.73.50.71,198.96.155.3,199.127.226.150,199.249.223.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522066; rev:3093;)
alert ip [199.249.223.60,199.249.223.61,199.249.223.62,199.249.223.63,199.249.223.64,199.249.223.65,199.249.223.66,199.249.223.67,199.249.223.68,199.249.223.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522068; rev:3093;)
alert ip [199.249.223.71,199.249.223.72,199.249.223.73,199.249.223.74,199.249.223.75,199.249.223.76,199.249.223.77,199.249.223.78,199.249.223.79,199.249.223.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522070; rev:3093;)
alert ip [199.249.224.40,199.249.224.41,199.249.224.42,199.249.224.43,199.249.224.44,199.249.224.45,199.249.224.46,199.249.224.47,199.249.224.48,199.249.224.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522072; rev:3093;)
alert ip [199.68.196.124,199.87.154.255,204.11.50.131,204.194.29.4,204.8.156.142,204.85.191.30,204.85.191.31,205.166.94.153,205.168.84.133,206.248.184.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522074; rev:3093;)
alert ip [206.55.74.0,207.244.70.35,208.67.1.79,208.67.1.82,208.67.1.83,209.123.234.23,210.3.102.152,211.21.48.217,212.16.104.33,212.19.17.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522076; rev:3093;)
alert ip [212.21.66.6,212.47.227.114,212.47.229.60,212.47.239.73,212.47.243.140,212.47.246.21,212.81.199.159,212.83.140.95,212.83.40.239,212.92.219.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522078; rev:3093;)
alert ip [213.108.105.71,213.108.105.92,213.136.74.184,213.61.149.125,213.61.149.126,213.95.21.54,216.218.134.12,216.218.222.11,216.218.222.12,216.218.222.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522080; rev:3093;)
alert ip [216.239.90.19,217.115.10.131,217.170.197.83,217.182.207.27,217.182.74.253,217.182.76.240,217.182.78.177,222.110.3.1,223.26.48.248,23.129.64.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522082; rev:3093;)
alert ip [23.129.64.12,23.129.64.13,23.129.64.14,23.129.64.15,23.129.64.16,23.129.64.17,23.129.64.18,23.129.64.19,23.129.64.20,23.92.27.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522084; rev:3093;)
alert ip [23.92.28.23,23.95.70.22,24.207.212.154,2.44.188.87,31.185.104.19,31.185.104.20,31.185.104.21,31.185.27.203,35.184.106.64,36.226.247.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522086; rev:3093;)
alert ip [36.227.172.7,37.139.8.104,37.187.105.104,37.187.53.94,37.187.7.74,37.218.240.21,37.218.240.50,37.218.240.68,37.218.240.80,37.220.35.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522088; rev:3093;)
alert ip [37.220.36.240,37.48.120.196,37.48.120.9,37.59.112.7,37.59.119.196,37.97.228.159,41.206.188.206,41.231.53.101,41.78.128.113,45.33.23.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522090; rev:3093;)
alert ip [45.33.48.204,45.62.236.66,45.62.251.245,45.76.115.159,45.79.137.11,45.79.198.115,45.79.73.22,46.101.127.145,46.101.139.248,46.101.150.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522092; rev:3093;)
alert ip [46.101.164.37,46.165.223.217,46.165.230.5,46.165.254.166,46.17.97.112,46.182.106.190,46.182.18.214,46.182.18.29,46.182.18.40,46.182.18.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522094; rev:3093;)
alert ip [46.182.19.15,46.182.19.219,46.183.218.199,46.183.221.231,46.194.55.111,46.226.108.26,46.233.0.70,46.235.227.70,46.246.49.91,46.29.248.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522096; rev:3093;)
alert ip [46.45.137.71,46.4.55.177,46.4.81.178,50.247.195.124,50.76.159.218,51.15.134.120,51.15.141.220,51.15.212.104,51.15.34.210,51.15.40.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522098; rev:3093;)
alert ip [51.15.43.205,51.15.43.232,51.15.44.197,51.15.45.97,51.15.46.49,51.15.50.133,51.15.53.118,51.15.53.83,51.15.54.136,51.15.56.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522100; rev:3093;)
alert ip [51.15.57.177,51.15.57.79,51.15.60.255,51.15.60.62,51.15.62.146,51.15.63.229,51.15.63.98,51.15.64.212,51.15.70.13,51.15.70.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522102; rev:3093;)
alert ip [51.15.70.226,51.15.70.228,51.15.76.81,51.15.79.107,51.15.87.157,51.255.202.66,5.188.11.165,5.189.146.133,5.189.188.111,5.196.0.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522104; rev:3093;)
alert ip [5.196.1.129,5.196.121.161,5.196.66.162,5.199.130.188,52.15.62.13,5.254.112.154,5.254.79.66,5.39.217.14,54.36.81.57,5.56.214.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522106; rev:3093;)
alert ip [5.79.68.161,59.127.163.155,5.9.158.75,59.177.81.30,5.9.195.140,60.248.162.179,62.102.148.67,62.109.29.199,62.133.130.105,62.141.39.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522108; rev:3093;)
alert ip [62.149.13.57,62.176.4.10,62.198.32.223,62.210.105.116,62.210.105.86,62.210.115.87,62.210.129.246,62.210.149.35,62.210.37.82,62.212.73.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522110; rev:3093;)
alert ip [62.219.3.47,62.219.3.48,64.113.32.29,64.124.32.84,64.137.162.142,64.137.205.124,64.137.210.30,64.137.210.54,64.137.210.86,64.27.17.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522112; rev:3093;)
alert ip [65.129.144.43,65.181.123.254,65.19.167.130,65.19.167.131,65.19.167.132,66.155.4.213,66.180.193.219,66.70.217.179,67.205.146.164,67.215.255.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522114; rev:3093;)
alert ip [69.164.207.234,71.46.220.68,72.12.207.14,72.14.179.10,72.14.182.209,72.174.26.72,72.52.75.27,72.93.243.211,74.50.54.69,75.54.229.204] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522116; rev:3093;)
alert ip [77.109.139.87,77.246.163.141,77.247.181.165,77.250.227.12,77.81.107.138,78.107.237.16,78.129.137.28,78.131.53.162,78.13.201.140,78.142.175.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522118; rev:3093;)
alert ip [78.31.164.41,78.41.115.145,78.45.15.253,78.63.161.0,78.70.167.74,79.137.67.116,79.137.79.167,79.137.80.94,79.169.39.161,80.241.60.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522120; rev:3093;)
alert ip [80.67.172.162,80.79.23.7,80.82.67.186,80.85.84.23,81.171.19.32,82.146.58.35,82.165.100.196,82.211.0.201,82.221.101.67,82.221.112.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522122; rev:3093;)
alert ip [82.221.128.217,82.221.139.25,82.223.27.82,82.247.198.227,83.151.233.181,83.92.47.99,84.0.95.9,84.105.18.164,84.190.180.142,84.19.180.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522124; rev:3093;)
alert ip [84.19.181.25,84.200.50.18,84.200.82.163,84.209.48.106,84.217.13.138,84.3.0.53,84.48.199.78,84.53.192.243,84.53.225.118,85.119.83.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522126; rev:3093;)
alert ip [85.143.95.50,85.195.107.250,85.248.227.163,85.248.227.164,85.248.227.165,85.90.244.23,85.93.218.204,86.107.110.217,87.118.115.176,87.118.116.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522128; rev:3093;)
alert ip [87.118.116.90,87.118.122.254,87.118.122.30,87.118.122.50,87.118.83.3,87.118.92.43,87.120.254.189,87.120.254.81,87.120.254.92,87.140.25.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522130; rev:3093;)
alert ip [87.81.148.61,87.98.178.61,88.190.118.95,88.198.125.96,88.198.56.140,88.77.186.64,88.83.40.246,89.144.12.15,89.187.150.12,89.187.150.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522132; rev:3093;)
alert ip [89.187.150.14,89.187.150.15,89.212.99.66,89.234.157.254,89.236.34.117,89.248.166.157,89.31.57.58,89.31.96.168,89.32.127.178,89.34.237.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522134; rev:3093;)
alert ip [89.38.208.57,89.45.226.28,91.121.52.156,91.134.232.48,91.146.121.3,91.219.236.232,91.219.237.244,91.221.57.129,91.223.82.156,91.233.106.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522136; rev:3093;)
alert ip [91.233.106.172,91.250.241.241,92.169.87.4,92.222.38.67,92.222.6.12,92.222.74.226,92.27.153.74,92.63.173.28,93.115.95.201,93.115.95.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522138; rev:3093;)
alert ip [93.115.95.204,93.115.95.205,93.115.95.206,93.115.95.207,93.115.95.216,93.174.90.30,93.174.93.133,93.174.93.71,93.186.13.12,93.220.94.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522140; rev:3093;)
alert ip [93.64.207.55,94.102.50.42,94.130.28.151,94.142.242.84,94.198.100.17,94.23.239.44,94.242.205.2,94.242.246.23,94.242.246.24,94.242.57.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522142; rev:3093;)
alert ip [94.242.57.2,95.128.43.164,95.130.10.69,95.130.11.170,95.142.161.63,95.211.118.194,95.211.230.94,96.255.14.191,96.64.149.101,97.74.237.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 73"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522144; rev:3093;)
alert ip [100.11.34.118,100.11.83.28,100.15.39.173,100.16.230.154,100.36.175.42,100.36.19.97,100.38.8.218,101.0.93.66,101.100.141.55,101.100.144.174] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 74"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522146; rev:3093;)
alert ip [101.173.122.229,101.189.42.122,101.55.125.10,103.13.101.81,103.241.61.34,103.250.186.95,103.250.73.12,103.250.73.199,103.250.73.218,103.250.73.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522148; rev:3093;)
alert ip [103.250.73.232,103.250.73.251,103.250.73.5,103.35.56.22,103.73.189.114,103.73.65.32,103.73.67.198,103.85.158.48,104.128.225.205,104.128.226.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 76"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522150; rev:3093;)
alert ip [104.129.16.86,104.129.5.252,104.130.169.121,104.131.108.7,104.131.110.204,104.131.11.214,104.131.123.16,104.131.129.30,104.131.137.159,104.131.140.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 77"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522152; rev:3093;)
alert ip [104.131.148.86,104.131.149.84,104.131.181.174,104.131.187.45,104.131.19.119,104.131.204.147,104.131.205.192,104.131.206.23,104.131.245.55,104.131.28.54] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 78"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522154; rev:3093;)
alert ip [104.131.4.237,104.131.66.194,104.131.86.132,104.131.99.72,104.156.224.83,104.156.226.153,104.156.239.41,104.156.60.163,104.156.60.166,104.162.18.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 79"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522156; rev:3093;)
alert ip [104.168.167.34,104.168.62.174,104.168.87.167,104.191.31.69,104.192.5.248,104.200.131.232,104.200.16.227,104.200.20.142,104.200.67.249,104.206.168.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 80"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522158; rev:3093;)
alert ip [104.206.237.23,104.206.237.24,104.207.157.177,104.223.122.115,104.223.122.213,104.223.122.239,104.223.12.233,104.223.122.69,104.223.48.254,104.223.78.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 81"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522160; rev:3093;)
alert ip [104.232.119.93,104.233.123.73,104.233.80.8,104.236.101.108,104.236.10.21,104.236.103.167,104.236.131.15,104.236.151.160,104.236.164.161,104.236.175.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522162; rev:3093;)
alert ip [104.236.180.124,104.236.183.57,104.236.199.217,104.236.21.215,104.236.215.223,104.236.224.225,104.236.231.197,104.236.233.99,104.236.234.178,104.236.247.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 83"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522164; rev:3093;)
alert ip [104.236.33.174,104.236.44.133,104.236.46.10,104.236.52.16,104.236.87.90,104.236.90.134,104.238.136.10,104.238.150.212,104.238.158.127,104.238.159.191] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 84"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522166; rev:3093;)
alert ip [104.238.167.111,104.238.184.251,104.238.188.98,104.244.72.200,104.244.77.143,104.250.141.242,104.250.151.108,104.32.110.210,104.32.21.49,104.37.192.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 85"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522168; rev:3093;)
alert ip [104.37.61.159,104.40.58.52,105.184.110.89,106.186.18.40,106.248.228.2,106.68.157.189,107.136.214.218,107.145.157.164,107.150.18.14,107.150.7.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 86"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522170; rev:3093;)
alert ip [107.158.255.21,107.158.255.22,107.161.172.151,107.161.18.113,107.167.87.242,107.167.93.58,107.170.101.39,107.170.10.34,107.170.107.198,107.170.108.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 87"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522172; rev:3093;)
alert ip [107.170.113.28,107.170.119.31,107.170.143.117,107.170.150.7,107.170.153.80,107.170.158.212,107.170.188.155,107.170.193.14,107.170.232.75,107.170.241.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 88"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522174; rev:3093;)
alert ip [107.170.246.123,107.172.23.11,107.179.136.40,107.181.155.131,107.181.166.11,107.181.174.22,107.181.187.199,107.191.103.42,107.191.110.179,107.191.118.171] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 89"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522176; rev:3093;)
alert ip [107.191.126.184,107.191.40.51,107.191.45.209,107.191.46.204,107.191.47.87,107.212.34.52,108.14.251.33,108.161.133.189,108.167.45.153,108.168.65.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 90"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522178; rev:3093;)
alert ip [108.240.182.140,108.248.87.242,108.252.225.193,108.26.165.130,108.32.49.20,108.34.154.82,108.34.173.204,108.4.49.181,108.51.145.34,108.5.123.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522180; rev:3093;)
alert ip [108.52.47.127,108.53.208.157,108.54.199.58,108.58.144.234,108.61.165.0,108.61.165.169,108.61.166.134,108.61.182.74,108.61.208.98,108.61.29.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 92"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522182; rev:3093;)
alert ip [108.61.96.230,108.61.99.149,108.61.99.7,109.104.38.33,109.104.53.242,109.105.109.162,109.107.35.154,109.120.140.127,109.12.117.113,109.128.217.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 93"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522184; rev:3093;)
alert ip [109.129.103.61,109.147.247.134,109.147.85.253,109.148.135.48,109.150.115.227,109.156.178.140,109.159.89.26,109.164.236.231,109.188.73.216,109.189.157.63] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522186; rev:3093;)
alert ip [109.189.78.223,109.190.24.34,109.190.66.149,109.192.151.243,109.192.221.2,109.193.71.229,109.195.103.84,109.195.115.202,109.195.147.248,109.197.193.160] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 95"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522188; rev:3093;)
alert ip [109.197.63.45,109.201.148.8,109.218.182.235,109.228.51.164,109.230.215.24,109.230.215.42,109.230.231.165,109.230.236.89,109.234.36.196,109.235.67.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 96"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522190; rev:3093;)
alert ip [109.236.88.9,109.236.90.209,109.238.2.79,109.24.157.46,109.251.138.26,109.255.0.107,109.255.189.135,109.255.4.199,109.49.168.149,109.63.234.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522192; rev:3093;)
alert ip [109.68.174.60,109.68.191.132,109.68.191.133,109.68.191.159,109.70.118.164,109.73.50.56,109.74.194.124,109.74.195.190,109.74.197.251,109.74.200.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522194; rev:3093;)
alert ip [109.74.206.21,109.86.231.201,109.87.25.148,109.88.211.62,109.90.105.212,109.90.194.92,109.90.2.49,109.91.18.210,109.9.189.81,109.92.182.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 99"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522196; rev:3093;)
alert ip [109.95.51.107,110.174.43.136,110.175.89.172,110.4.47.139,111.217.70.205,111.220.142.172,111.69.187.64,111.90.140.240,111.90.140.7,111.90.141.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 100"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522198; rev:3093;)
alert ip [111.90.145.244,111.90.147.202,111.90.147.45,111.90.159.23,113.146.25.87,113.151.17.45,113.20.31.45,113.255.93.146,113.41.194.250,114.198.116.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522200; rev:3093;)
alert ip [115.124.112.235,115.146.127.224,115.162.69.72,115.70.57.112,116.127.71.162,116.255.86.18,116.72.19.109,116.93.119.79,116.98.47.44,118.127.108.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 102"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522202; rev:3093;)
alert ip [118.211.103.137,118.211.196.241,119.235.249.136,119.59.127.104,121.216.200.82,121.217.128.119,121.217.216.75,121.223.16.207,121.99.219.228,122.130.149.200] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 103"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522204; rev:3093;)
alert ip [122.173.149.16,122.252.153.13,122.58.16.118,122.61.174.190,123.2.59.76,124.168.121.129,124.171.62.248,124.244.71.219,1.244.227.61,125.143.58.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 104"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522206; rev:3093;)
alert ip [125.212.217.197,125.212.218.81,125.212.220.60,125.236.237.47,125.239.0.127,125.30.61.42,126.70.7.146,128.112.228.11,128.119.245.76,128.12.177.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 105"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522208; rev:3093;)
alert ip [128.131.169.91,128.153.146.125,128.199.131.168,128.199.132.7,128.199.133.154,128.199.136.79,128.199.138.74,128.199.139.224,128.199.163.108,128.199.179.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522210; rev:3093;)
alert ip [128.199.189.192,128.199.192.230,128.199.194.112,128.199.194.214,128.199.221.35,128.199.224.88,128.199.228.42,128.199.228.61,128.199.240.193,128.199.252.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 107"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522212; rev:3093;)
alert ip [128.199.35.162,128.199.35.5,128.199.52.7,128.199.55.207,128.199.81.48,128.199.85.165,128.199.97.254,128.208.2.233,128.31.0.34,128.39.8.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 108"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522214; rev:3093;)
alert ip [128.52.170.130,128.69.8.101,128.75.22.182,129.100.38.88,129.10.115.230,129.10.115.237,129.10.115.238,129.10.115.239,129.10.115.241,129.10.115.244] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 109"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522216; rev:3093;)
alert ip [129.10.115.245,129.10.115.246,129.10.115.247,129.10.115.248,129.13.131.140,129.21.131.156,129.242.219.85,130.149.14.31,130.180.111.94,130.180.23.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 110"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522218; rev:3093;)
alert ip [130.180.30.254,130.180.63.150,130.180.72.178,130.185.104.50,130.185.250.214,130.185.250.3,130.185.250.76,130.193.15.186,130.225.254.103,130.230.113.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 111"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522220; rev:3093;)
alert ip [130.230.113.229,130.230.113.230,130.230.113.231,130.230.113.232,130.230.113.233,130.230.113.234,130.230.113.235,130.230.113.236,130.230.113.237,130.243.26.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522222; rev:3093;)
alert ip [130.255.10.191,130.255.190.187,130.255.78.232,130.63.173.126,131.130.142.98,131.155.71.124,131.188.40.188,131.188.40.189,131.191.83.25,131.220.141.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522224; rev:3093;)
alert ip [13.124.107.51,131.255.4.48,131.255.4.79,131.255.5.233,131.255.5.239,131.255.5.250,131.255.5.251,131.255.5.66,131.255.7.57,132.216.54.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522226; rev:3093;)
alert ip [133.130.103.34,1.33.218.249,1.33.65.204,134.102.200.101,134.119.179.55,134.119.222.3,134.119.26.193,134.119.3.164,134.119.3.2,134.119.32.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 115"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522228; rev:3093;)
alert ip [134.130.181.212,134.130.181.43,134.130.181.49,134.19.177.109,134.91.78.143,135.23.121.228,135.23.221.151,135.23.96.205,136.168.201.153,136.243.102.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522230; rev:3093;)
alert ip [136.243.114.62,136.243.1.156,136.243.14.241,136.243.147.28,136.243.149.82,136.243.170.164,136.243.174.97,136.243.176.148,136.243.177.133,136.243.187.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 117"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522232; rev:3093;)
alert ip [136.243.214.137,136.243.243.6,136.243.70.199,136.243.90.139,136.29.17.133,136.32.238.141,136.32.72.40,136.32.88.247,136.33.135.41,136.57.59.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 118"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522234; rev:3093;)
alert ip [136.58.71.216,136.62.24.118,136.62.41.207,136.62.65.222,136.63.228.142,13.68.112.72,137.135.8.233,137.205.124.35,137.226.111.123,137.59.52.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 119"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522236; rev:3093;)
alert ip [137.74.112.46,137.74.116.214,137.74.117.52,137.74.164.213,137.74.198.250,137.74.224.132,137.74.25.175,137.74.40.76,137.74.40.77,138.117.148.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522238; rev:3093;)
alert ip [138.197.0.28,138.197.110.32,138.197.133.255,138.197.133.81,138.197.14.226,138.197.151.119,138.197.152.158,138.197.153.96,138.197.155.116,138.197.162.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522240; rev:3093;)
alert ip [138.197.168.41,138.197.172.27,138.197.196.50,138.197.202.35,138.197.205.50,138.197.210.209,138.197.214.11,138.197.36.234,138.197.46.213,138.197.67.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522242; rev:3093;)
alert ip [138.197.96.48,138.201.106.213,138.201.117.167,138.201.132.17,138.201.132.34,138.201.135.108,138.201.143.186,138.201.149.20,138.201.149.21,138.201.169.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522244; rev:3093;)
alert ip [138.201.211.234,138.201.211.235,138.201.213.18,138.201.245.87,138.201.247.18,138.201.247.2,138.201.249.231,138.201.250.33,138.201.255.245,138.201.3.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522246; rev:3093;)
alert ip [138.201.49.41,138.201.75.6,138.201.83.171,138.201.91.210,138.201.92.183,138.201.94.249,138.204.171.103,13.85.20.159,138.68.102.40,138.68.134.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 125"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522248; rev:3093;)
alert ip [138.68.150.168,138.68.15.191,138.68.159.142,138.68.167.23,138.68.174.81,138.68.243.240,138.68.245.159,138.68.2.89,138.68.46.132,138.68.69.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522250; rev:3093;)
alert ip [138.68.76.180,138.68.80.108,138.68.80.91,138.68.81.52,138.68.95.222,138.68.96.71,139.133.232.231,139.140.181.151,139.162.103.248,139.162.112.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 127"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522252; rev:3093;)
alert ip [139.162.130.249,139.162.142.120,139.162.142.27,139.162.146.177,139.162.150.16,139.162.151.86,139.162.181.19,139.162.185.120,139.162.191.243,139.162.19.233] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 128"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522254; rev:3093;)
alert ip [139.162.232.28,139.162.241.69,139.162.245.120,139.162.248.13,139.162.249.63,139.162.44.128,139.162.56.252,139.162.61.44,139.162.7.40,139.162.81.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 129"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522256; rev:3093;)
alert ip [139.162.9.145,139.162.96.82,13.93.114.153,139.59.0.94,139.59.113.97,139.59.117.110,139.59.117.212,139.59.131.98,139.59.134.207,139.59.145.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 130"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522258; rev:3093;)
alert ip [139.59.148.215,139.59.155.174,139.59.16.5,139.59.172.93,139.59.210.198,139.59.2.130,139.59.2.186,139.59.226.185,139.59.229.179,139.59.235.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 131"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522260; rev:3093;)
alert ip [139.59.240.91,139.59.29.107,139.59.29.46,139.59.31.227,139.59.31.76,139.59.36.149,139.59.36.152,139.59.36.57,139.59.37.101,139.59.44.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 132"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522262; rev:3093;)
alert ip [139.59.45.242,139.59.6.172,139.59.64.32,139.59.64.49,139.59.70.114,139.59.7.124,139.59.79.120,140.0.126.72,140.113.128.242,140.113.69.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 133"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522264; rev:3093;)
alert ip [140.121.136.124,140.121.80.170,140.138.144.170,141.0.146.4,141.105.67.58,141.105.70.132,141.136.222.176,141.14.220.177,141.145.121.11,141.20.103.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522266; rev:3093;)
alert ip [141.20.33.67,141.20.33.68,141.255.161.173,141.255.165.102,141.255.166.142,141.255.166.150,141.255.166.189,141.51.125.16,141.54.159.184,141.70.125.232] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 135"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522268; rev:3093;)
alert ip [14.203.77.193,142.4.211.189,142.4.214.187,142.4.32.196,142.44.156.134,142.44.174.243,142.54.186.178,143.106.60.86,143.176.52.51,144.136.5.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 136"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522270; rev:3093;)
alert ip [144.178.137.152,144.206.238.32,144.2.123.139,144.217.15.100,144.217.15.164,144.217.15.179,144.217.245.140,144.217.245.145,144.217.246.91,144.217.254.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522272; rev:3093;)
alert ip [144.217.255.69,144.217.56.135,144.217.56.140,144.217.56.141,144.217.56.158,144.217.65.215,144.217.7.136,144.217.80.139,144.217.87.78,144.217.95.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 138"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522274; rev:3093;)
alert ip [144.76.101.199,144.76.105.117,144.76.105.169,144.76.109.138,144.76.11.100,144.76.112.85,144.76.117.169,144.76.128.206,144.76.14.145,144.76.163.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522276; rev:3093;)
alert ip [144.76.172.187,144.76.253.229,144.76.26.175,144.76.30.167,144.76.31.202,144.76.37.242,144.76.41.171,144.76.44.168,144.76.45.74,144.76.48.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522278; rev:3093;)
alert ip [144.76.50.37,144.76.61.40,144.76.6.199,144.76.64.66,144.76.69.232,144.76.71.91,144.76.75.130,144.76.75.184,144.76.80.68,144.76.85.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 141"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522280; rev:3093;)
alert ip [144.76.91.135,144.76.91.46,144.76.96.7,145.132.191.48,145.132.42.234,145.133.41.132,145.220.0.15,145.239.225.197,145.239.65.59,145.239.76.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 142"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522282; rev:3093;)
alert ip [145.239.82.204,145.239.82.223,145.239.85.191,145.239.87.224,145.255.243.50,146.0.32.122,146.0.32.132,146.0.32.62,146.0.43.121,146.0.43.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522284; rev:3093;)
alert ip [146.0.77.50,146.115.162.91,146.185.141.163,146.185.150.219,146.185.155.218,146.185.157.61,146.185.160.30,146.185.170.35,146.185.171.181,146.185.176.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522286; rev:3093;)
alert ip [146.185.189.197,146.185.253.101,146.185.69.58,146.199.226.192,146.255.170.243,146.255.170.244,146.255.170.245,146.255.57.228,146.52.122.170,146.52.130.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522288; rev:3093;)
alert ip [146.52.167.241,146.52.207.49,146.52.208.228,146.52.253.105,146.52.72.148,146.60.209.102,147.135.209.40,147.135.210.101,147.147.186.50,147.175.187.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 146"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522290; rev:3093;)
alert ip [147.175.187.180,148.251.11.21,148.251.113.230,148.251.11.39,148.251.14.214,148.251.151.240,148.251.168.226,148.251.176.25,148.251.190.229,148.251.206.134] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 147"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522292; rev:3093;)
alert ip [148.251.214.53,148.251.221.163,148.251.227.14,148.251.238.253,148.251.254.229,148.251.40.40,148.251.42.164,148.251.55.246,148.59.220.246,149.154.152.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522294; rev:3093;)
alert ip [149.154.157.80,149.154.159.172,149.154.159.87,149.154.71.246,149.172.149.170,149.172.201.153,149.202.101.30,149.202.181.214,149.202.190.14,149.202.192.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522296; rev:3093;)
alert ip [149.202.2.106,149.202.220.80,149.202.238.198,149.202.238.220,149.202.4.241,149.202.57.214,149.202.58.41,149.210.164.228,149.210.221.48,149.210.226.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522298; rev:3093;)
alert ip [149.255.35.242,149.255.37.90,149.56.12.78,149.56.13.125,149.56.140.193,149.56.141.138,149.56.14.37,149.56.185.56,149.56.204.207,149.56.223.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 151"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522300; rev:3093;)
alert ip [149.56.223.244,149.56.233.142,149.56.25.84,149.56.26.237,149.56.45.200,149.86.117.215,149.91.82.97,150.101.243.99,150.146.2.245,150.95.137.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522302; rev:3093;)
alert ip [150.95.173.81,151.1.182.217,151.177.29.27,151.20.242.69,151.20.248.101,151.225.130.246,151.230.29.84,151.236.11.114,151.236.12.126,151.236.218.67] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522304; rev:3093;)
alert ip [151.236.6.110,151.237.229.131,151.27.116.117,151.32.117.175,151.45.72.30,151.53.20.161,151.80.115.180,151.80.128.12,151.80.141.122,151.80.144.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522306; rev:3093;)
alert ip [151.80.144.253,151.80.145.159,151.80.147.153,151.80.16.34,151.80.40.72,151.80.56.141,151.80.56.62,151.80.59.144,153.120.42.137,153.126.128.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522308; rev:3093;)
alert ip [153.126.158.65,153.126.196.95,153.127.199.124,153.149.98.251,153.202.228.115,153.92.126.234,153.92.127.239,154.35.175.225,154.5.54.64,155.133.38.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522310; rev:3093;)
alert ip [155.254.49.178,155.4.103.214,155.4.229.135,155.98.5.5,155.98.5.6,157.7.143.145,158.140.206.75,158.255.208.148,158.255.212.178,158.255.215.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 157"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522312; rev:3093;)
alert ip [158.255.4.241,158.255.7.61,158.58.170.183,158.58.170.195,158.58.173.24,158.58.173.78,158.69.102.208,158.69.172.226,158.69.204.36,158.69.205.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 158"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522314; rev:3093;)
alert ip [158.69.205.247,158.69.205.92,158.69.207.216,158.69.216.18,158.69.217.34,158.69.247.184,158.69.247.80,158.69.36.152,158.69.48.77,158.69.63.16] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522316; rev:3093;)
alert ip [158.69.63.178,158.69.92.127,159.148.186.130,159.148.186.144,159.148.186.162,159.148.186.172,159.148.186.196,159.148.186.208,159.148.186.236,159.148.186.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 160"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522318; rev:3093;)
alert ip [159.148.186.8,159.148.186.91,159.203.10.141,159.203.10.16,159.203.103.138,159.203.15.100,159.203.17.103,159.203.173.38,159.203.1.86,159.203.193.72] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 161"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522320; rev:3093;)
alert ip [159.203.224.25,159.203.22.51,159.203.234.244,159.203.27.5,159.203.29.240,159.203.32.149,159.203.3.224,159.203.38.250,159.203.41.119,159.203.42.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 162"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522322; rev:3093;)
alert ip [159.203.42.254,159.203.45.104,159.203.45.171,159.203.59.106,159.203.7.221,159.203.85.88,159.203.90.174,159.224.64.79,160.16.228.57,161.53.160.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 163"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522324; rev:3093;)
alert ip [161.97.251.142,162.213.3.221,162.213.38.245,162.216.16.23,162.218.239.125,162.220.165.185,162.220.217.50,162.220.218.109,162.221.202.230,162.226.56.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 164"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522326; rev:3093;)
alert ip [162.243.134.188,162.243.139.73,162.243.195.118,162.243.200.157,162.243.21.103,162.243.255.143,162.243.8.161,162.244.25.214,162.245.23.144,162.247.73.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522328; rev:3093;)
alert ip [162.247.75.118,162.252.243.20,163.172.110.48,163.172.115.22,163.172.128.13,163.172.129.29,163.172.130.220,163.172.131.164,163.172.131.183,163.172.131.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522330; rev:3093;)
alert ip [163.172.13.165,163.172.131.88,163.172.132.167,163.172.132.178,163.172.133.54,163.172.135.172,163.172.137.4,163.172.137.92,163.172.138.22,163.172.139.104] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 167"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522332; rev:3093;)
alert ip [163.172.139.111,163.172.139.145,163.172.139.170,163.172.141.10,163.172.141.195,163.172.141.33,163.172.142.172,163.172.14.221,163.172.142.92,163.172.143.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 168"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522334; rev:3093;)
alert ip [163.172.143.186,163.172.144.236,163.172.146.169,163.172.146.232,163.172.147.53,163.172.148.176,163.172.149.122,163.172.149.155,163.172.151.234,163.172.152.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 169"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522336; rev:3093;)
alert ip [163.172.152.237,163.172.153.12,163.172.153.78,163.172.154.162,163.172.154.245,163.172.156.137,163.172.156.181,163.172.157.124,163.172.157.213,163.172.159.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522338; rev:3093;)
alert ip [163.172.160.227,163.172.163.104,163.172.163.169,163.172.163.238,163.172.165.6,163.172.167.77,163.172.168.131,163.172.169.253,163.172.170.52,163.172.173.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 171"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522340; rev:3093;)
alert ip [163.172.173.184,163.172.173.34,163.172.175.174,163.172.175.232,163.172.176.167,163.172.176.45,163.172.177.114,163.172.178.182,163.172.179.131,163.172.180.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522342; rev:3093;)
alert ip [163.172.181.239,163.172.183.116,163.172.190.110,163.172.191.234,163.172.194.53,163.172.201.62,163.172.209.161,163.172.210.170,163.172.21.117,163.172.212.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522344; rev:3093;)
alert ip [163.172.213.201,163.172.215.236,163.172.215.60,163.172.215.78,163.172.216.195,163.172.223.132,163.172.223.215,163.172.228.191,163.172.25.118,163.172.27.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522346; rev:3093;)
alert ip [163.172.35.211,163.172.36.205,163.172.42.239,163.172.45.220,163.172.53.84,163.172.56.248,163.172.60.190,163.172.61.28,163.172.69.166,163.172.82.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 175"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522348; rev:3093;)
alert ip [163.172.82.3,163.172.84.95,163.172.86.92,163.172.89.227,163.172.90.128,163.172.94.119,164.132.209.131,164.132.212.100,164.132.225.248,164.132.226.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 176"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522350; rev:3093;)
alert ip [164.132.230.34,164.132.249.244,164.132.38.170,164.132.41.85,164.132.49.205,164.132.77.175,164.215.116.194,164.40.245.204,165.120.218.118,165.227.122.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 177"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522352; rev:3093;)
alert ip [165.227.130.126,165.227.130.167,165.227.135.224,165.227.136.69,165.227.154.118,165.227.20.47,165.227.8.231,165.227.8.5,165.227.90.183,165.227.94.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522354; rev:3093;)
alert ip [166.70.15.14,166.70.94.106,167.114.103.19,167.114.113.134,167.114.121.128,167.114.148.149,167.114.160.128,167.114.219.61,167.114.3.166,167.114.35.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 179"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522356; rev:3093;)
alert ip [167.114.35.107,167.114.35.28,167.114.67.158,167.114.67.4,167.114.71.189,167.114.7.166,167.114.76.195,167.160.161.167,167.160.185.136,167.160.84.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522358; rev:3093;)
alert ip [167.160.84.141,167.88.120.159,167.88.41.8,168.150.251.15,168.205.150.148,168.235.146.20,168.235.154.96,168.235.67.30,168.235.69.79,169.239.128.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522360; rev:3093;)
alert ip [171.233.89.98,171.25.193.9,172.10.235.73,172.104.110.120,172.104.131.38,172.104.148.154,172.104.43.169,172.104.62.11,172.104.67.176,172.104.78.197] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522362; rev:3093;)
alert ip [172.104.85.43,172.104.88.43,172.221.207.95,172.241.140.26,172.245.126.70,172.245.126.96,172.245.219.133,172.245.24.228,172.245.99.10,172.86.144.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 183"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522364; rev:3093;)
alert ip [172.86.148.10,172.92.128.70,172.93.48.155,172.93.51.60,172.93.51.83,172.93.55.183,172.97.103.47,173.160.180.189,173.170.41.8,173.18.41.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522366; rev:3093;)
alert ip [173.199.115.232,173.199.118.247,173.199.124.17,173.206.132.9,173.208.225.60,173.208.225.61,173.212.197.112,173.212.206.230,173.212.228.203,173.212.231.17] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522368; rev:3093;)
alert ip [173.212.242.110,173.212.244.108,173.228.91.29,173.22.92.184,173.230.128.232,173.230.153.109,173.230.154.90,173.239.79.203,173.239.79.210,173.247.26.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522370; rev:3093;)
alert ip [173.254.236.135,173.255.205.113,173.255.209.181,173.255.217.222,173.255.218.106,173.255.221.96,173.255.228.134,173.255.228.85,173.255.241.235,173.255.245.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 187"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522372; rev:3093;)
alert ip [173.255.246.162,173.255.250.126,173.255.250.231,173.31.224.94,173.3.242.35,173.48.183.150,173.48.246.133,173.48.58.162,173.52.78.215,173.59.249.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 188"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522374; rev:3093;)
alert ip [173.66.70.16,173.67.9.186,173.68.10.124,173.71.141.91,173.76.173.114,173.79.55.87,173.8.211.74,173.82.151.94,174.0.0.21,174.104.26.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 189"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:3093;)
alert ip [174.109.111.95,174.111.240.217,174.127.228.138,174.138.81.62,174.141.200.41,174.27.71.92,174.28.49.129,174.34.225.215,174.50.172.90,174.51.114.139] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522378; rev:3093;)
alert ip [174.55.212.152,174.59.110.190,174.63.80.6,174.68.74.231,174.7.16.21,174.97.19.230,175.138.42.194,175.179.249.253,175.203.71.68,176.10.131.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522380; rev:3093;)
alert ip [176.10.137.12,176.10.140.175,176.10.217.142,176.10.253.40,176.103.49.29,176.103.56.31,176.103.57.208,176.103.57.235,176.107.177.15,176.107.185.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 192"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522382; rev:3093;)
alert ip [176.112.242.6,176.114.131.136,176.114.248.47,176.115.38.130,176.118.30.217,176.119.98.186,176.121.81.51,176.123.10.167,176.123.10.3,176.123.10.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522384; rev:3093;)
alert ip [176.123.10.42,176.123.10.67,176.123.10.89,176.123.10.99,176.123.2.254,176.123.26.23,176.123.29.56,176.123.7.197,176.126.242.49,176.14.216.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522386; rev:3093;)
alert ip [176.15.182.231,176.158.155.120,176.158.236.102,176.159.130.165,176.193.226.229,176.194.189.124,176.195.245.42,176.196.98.66,176.197.158.30,176.198.132.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522388; rev:3093;)
alert ip [176.198.68.117,176.20.196.56,176.20.234.102,176.212.75.157,176.28.9.120,176.31.101.92,176.31.102.212,176.31.103.150,176.31.110.48,176.31.116.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 196"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522390; rev:3093;)
alert ip [176.31.117.6,176.31.120.215,176.31.121.194,176.31.125.116,176.31.163.89,176.31.184.255,176.31.191.26,176.31.200.122,176.31.225.204,176.31.23.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 197"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522392; rev:3093;)
alert ip [176.31.240.78,176.31.255.189,176.31.28.63,176.31.35.149,176.31.43.51,176.31.80.115,176.36.215.251,176.38.177.208,176.46.239.67,176.53.22.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 198"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522394; rev:3093;)
alert ip [176.56.237.191,176.58.108.133,176.58.110.66,176.58.113.34,176.58.120.22,176.58.121.159,176.58.96.199,176.63.111.50,176.66.131.31,176.67.169.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522396; rev:3093;)
alert ip [176.9.102.35,176.9.103.8,176.9.104.232,176.9.110.138,176.9.114.182,176.9.1.211,176.9.122.51,176.9.133.154,176.9.140.108,176.9.143.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 200"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522398; rev:3093;)
alert ip [176.9.147.227,176.9.148.176,176.9.155.82,176.9.156.71,176.9.157.222,176.9.158.118,176.9.180.47,176.9.190.240,176.9.208.12,176.9.215.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522400; rev:3093;)
alert ip [176.9.31.215,176.9.38.38,176.9.39.218,176.9.43.26,176.9.46.90,176.9.50.240,176.9.53.52,176.9.54.142,176.9.54.3,176.9.85.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522402; rev:3093;)
alert ip [176.9.8.6,176.9.90.215,176.9.98.109,177.206.97.240,177.234.155.250,177.234.155.98,177.246.231.193,177.251.150.142,177.85.97.121,178.0.110.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 203"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522404; rev:3093;)
alert ip [178.12.225.211,178.132.78.148,178.137.126.19,178.140.104.18,178.140.197.96,178.14.113.18,178.150.0.243,178.150.0.249,178.150.100.55,178.157.198.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 204"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522406; rev:3093;)
alert ip [178.159.0.38,178.16.208.55,178.16.208.56,178.16.208.57,178.16.208.58,178.16.208.59,178.16.208.60,178.16.208.61,178.16.208.62,178.162.194.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 205"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522408; rev:3093;)
alert ip [178.162.194.82,178.162.199.66,178.162.66.212,178.163.100.154,178.165.72.60,178.17.170.149,178.17.170.77,178.17.171.86,178.17.174.2,178.17.174.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 206"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522410; rev:3093;)
alert ip [178.174.172.77,178.18.94.247,178.190.84.68,178.19.104.227,178.191.126.207,178.193.211.203,178.198.173.137,178.19.96.114,178.200.31.8,178.200.56.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 207"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522412; rev:3093;)
alert ip [178.200.73.64,178.201.88.59,178.202.140.94,178.203.190.146,178.209.46.173,178.209.52.162,178.213.227.68,178.215.87.31,178.217.184.32,178.238.224.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 208"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522414; rev:3093;)
alert ip [178.238.232.110,178.24.159.14,178.24.218.158,178.24.54.98,178.24.72.177,178.24.73.127,178.249.167.2,178.251.228.142,178.251.228.50,178.25.205.60] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 209"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522416; rev:3093;)
alert ip [178.25.217.23,178.252.28.200,178.254.13.92,178.254.20.134,178.254.21.218,178.254.25.6,178.254.30.86,178.254.37.97,178.254.39.85,178.254.40.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522418; rev:3093;)
alert ip [178.254.44.135,178.254.7.88,178.254.9.25,178.255.42.246,178.26.131.140,178.26.131.97,178.27.121.230,178.27.147.35,178.27.162.121,178.27.90.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 211"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522420; rev:3093;)
alert ip [178.32.100.87,178.32.138.157,178.32.189.88,178.32.190.15,178.32.192.9,178.32.216.146,178.32.216.97,178.32.217.68,178.32.221.151,178.32.221.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 212"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522422; rev:3093;)
alert ip [178.32.222.125,178.32.222.21,178.32.223.87,178.32.34.91,178.32.47.140,178.32.54.103,178.32.61.9,178.32.66.43,178.32.76.95,178.33.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522424; rev:3093;)
alert ip [178.33.183.251,178.45.197.178,178.49.253.215,178.62.104.146,178.62.109.164,178.62.112.71,178.62.122.241,178.62.125.125,178.62.13.27,178.62.173.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 214"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522426; rev:3093;)
alert ip [178.62.18.161,178.62.186.155,178.62.196.71,178.62.197.82,178.62.198.54,178.62.199.226,178.62.201.15,178.62.20.117,178.62.202.59,178.62.203.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522428; rev:3093;)
alert ip [178.62.210.138,178.62.217.134,178.62.221.190,178.62.22.36,178.62.237.106,178.62.24.212,178.62.244.168,178.62.251.184,178.62.252.234,178.62.252.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522430; rev:3093;)
alert ip [178.62.36.64,178.62.43.5,178.62.46.7,178.62.60.37,178.62.66.18,178.62.79.227,178.62.86.206,178.62.86.96,178.62.88.111,178.62.9.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 217"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522432; rev:3093;)
alert ip [178.62.93.173,178.62.93.36,178.62.94.243,178.62.98.217,178.63.116.157,178.63.138.17,178.63.154.93,178.63.162.212,178.63.18.25,178.63.19.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522434; rev:3093;)
alert ip [178.63.25.10,178.63.27.82,178.63.65.179,178.63.78.8,178.63.85.14,178.66.1.187,178.73.210.118,178.75.148.206,178.78.213.214,178.79.134.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 219"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522436; rev:3093;)
alert ip [178.79.136.230,178.79.139.17,178.79.157.60,178.79.158.221,178.79.159.147,178.79.159.224,178.79.160.57,178.79.161.152,178.79.161.177,178.79.163.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 220"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522438; rev:3093;)
alert ip [178.79.165.21,178.79.169.98,178.79.173.147,178.79.177.148,178.83.171.83,178.83.190.108,178.84.83.252,178.85.43.158,179.34.227.81,179.43.158.176] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 221"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522440; rev:3093;)
alert ip [179.43.168.166,179.43.169.14,179.43.183.102,179.43.188.206,179.43.189.210,179.48.248.17,180.181.117.164,180.181.144.13,180.26.33.202,181.1.2.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522442; rev:3093;)
alert ip [181.30.14.126,18.181.5.37,181.93.5.174,182.171.143.55,182.171.233.68,182.171.77.82,18.220.148.128,183.77.197.79,184.100.125.176,184.100.144.118] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522444; rev:3093;)
alert ip [184.100.231.37,184.106.109.244,184.146.26.218,184.152.4.239,184.160.119.133,184.167.146.119,184.183.5.203,184.56.173.16,184.60.135.64,184.90.73.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522446; rev:3093;)
alert ip [185.100.84.251,185.100.85.132,185.100.85.175,185.100.85.207,185.100.85.244,185.100.86.249,185.100.87.239,185.100.87.43,185.101.218.220,185.101.98.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522448; rev:3093;)
alert ip [185.103.135.19,185.103.158.97,185.103.243.74,185.104.184.51,185.104.185.170,185.104.248.164,185.10.68.118,185.10.68.159,185.107.224.208,185.109.146.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 226"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522450; rev:3093;)
alert ip [185.111.219.109,185.111.219.11,185.112.157.126,185.112.82.102,185.117.118.132,185.117.88.92,185.12.28.116,185.123.102.38,185.125.217.66,185.125.33.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 227"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522452; rev:3093;)
alert ip [185.128.40.90,185.129.249.124,185.129.60.131,185.133.210.188,185.13.38.197,185.13.39.197,185.140.54.65,185.141.25.172,185.14.185.118,185.145.128.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522454; rev:3093;)
alert ip [185.145.130.73,185.145.131.165,185.146.228.150,185.146.228.151,185.148.145.115,185.148.145.140,185.148.145.71,185.148.145.74,185.150.189.170,185.150.189.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522456; rev:3093;)
alert ip [185.150.190.10,185.150.190.24,185.150.191.56,185.15.244.124,185.153.198.118,185.153.198.222,185.155.96.235,185.155.96.249,185.156.173.148,185.157.160.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 230"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522458; rev:3093;)
alert ip [185.157.232.34,185.157.233.42,185.15.72.62,185.15.73.117,185.159.128.83,185.15.92.76,185.15.94.14,185.15.94.17,185.16.172.155,185.16.173.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522460; rev:3093;)
alert ip [185.16.173.86,185.162.10.157,185.163.45.150,185.163.45.244,185.165.168.168,185.165.168.170,185.165.168.73,185.170.112.183,185.181.229.77,185.182.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522462; rev:3093;)
alert ip [185.183.107.194,185.183.107.30,185.185.40.111,185.186.244.60,185.189.113.90,185.189.14.42,185.19.123.237,185.198.56.139,185.202.196.180,185.20.227.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 233"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522464; rev:3093;)
alert ip [185.203.117.50,185.206.145.235,185.206.36.169,185.208.210.20,185.208.210.29,185.208.210.30,185.21.100.163,185.21.101.50,185.21.216.157,185.21.216.183] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522466; rev:3093;)
alert ip [185.21.216.189,185.21.216.195,185.21.216.198,185.21.217.13,185.21.217.29,185.21.217.33,185.214.71.164,185.216.33.126,185.217.0.69,185.217.0.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522468; rev:3093;)
alert ip [185.217.0.97,185.22.173.162,185.22.67.211,185.25.216.237,185.25.48.76,185.26.156.28,185.26.156.45,185.26.156.50,185.29.156.231,185.32.160.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522470; rev:3093;)
alert ip [185.32.221.201,185.32.221.228,185.35.138.92,185.37.145.44,185.37.226.197,185.37.72.202,185.40.31.122,185.41.154.130,185.44.76.144,185.44.76.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 237"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522472; rev:3093;)
alert ip [185.46.201.244,185.47.63.128,185.4.92.67,185.56.89.141,185.58.21.199,185.5.9.188,185.61.148.121,185.61.148.189,185.61.149.116,185.61.150.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522474; rev:3093;)
alert ip [185.6.29.55,185.63.253.130,185.65.244.235,185.69.52.19,185.69.53.188,185.72.178.72,185.72.244.37,185.72.247.145,185.7.254.67,185.72.66.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 239"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522476; rev:3093;)
alert ip [185.72.66.252,185.73.220.8,185.73.240.205,185.76.145.109,185.77.129.35,185.78.67.40,185.80.222.105,185.80.222.158,185.80.222.164,185.81.109.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 240"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522478; rev:3093;)
alert ip [185.81.164.254,185.81.96.14,185.82.201.54,185.82.202.28,185.82.203.209,185.82.217.70,185.8.236.131,185.8.237.45,185.8.238.139,185.86.148.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522480; rev:3093;)
alert ip [185.86.149.205,185.86.149.230,185.86.149.75,185.86.149.85,185.86.150.78,185.8.63.38,185.86.79.46,185.87.185.221,185.87.186.27,185.87.50.190] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 242"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522482; rev:3093;)
alert ip [185.90.61.159,185.90.61.23,185.90.61.35,185.9.19.83,185.92.68.9,185.94.193.148,185.94.193.154,185.94.193.158,185.94.193.194,185.94.193.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 243"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522484; rev:3093;)
alert ip [185.96.180.164,185.96.180.29,185.96.88.164,185.96.88.29,185.97.32.34,185.97.32.36,185.99.134.220,186.120.225.119,186.203.12.18,186.222.7.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 244"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522486; rev:3093;)
alert ip [187.163.84.205,187.60.93.196,187.63.100.24,188.107.7.8,188.114.140.245,188.118.198.244,188.118.217.236,188.120.234.26,188.120.243.128,188.120.243.32] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 245"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522488; rev:3093;)
alert ip [188.121.184.145,188.134.5.47,188.134.5.92,188.134.6.66,188.138.102.98,188.138.112.60,188.138.61.165,188.138.70.162,188.138.75.101,188.141.73.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522490; rev:3093;)
alert ip [188.142.200.211,188.143.121.152,188.164.154.18,188.165.0.171,188.165.106.249,188.165.138.72,188.165.139.175,188.165.142.97,188.165.145.157,188.165.194.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522492; rev:3093;)
alert ip [188.165.19.61,188.165.212.152,188.165.213.156,188.165.218.31,188.165.220.21,188.165.222.39,188.165.228.38,188.165.228.64,188.165.236.18,188.165.27.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 248"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522494; rev:3093;)
alert ip [188.165.28.152,188.165.28.25,188.165.4.224,188.165.50.244,188.165.5.14,188.165.5.67,188.165.58.241,188.165.59.43,188.165.6.66,188.166.122.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 249"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522496; rev:3093;)
alert ip [188.166.133.133,188.166.158.100,188.166.168.73,188.166.16.91,188.166.178.56,188.166.19.224,188.166.20.124,188.166.209.214,188.166.219.207,188.166.23.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 250"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522498; rev:3093;)
alert ip [188.166.24.205,188.166.245.217,188.166.246.106,188.166.255.209,188.166.33.15,188.166.4.109,188.166.41.210,188.166.48.132,188.166.50.222,188.166.56.121] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 251"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522500; rev:3093;)
alert ip [188.166.67.231,188.166.8.152,188.166.87.161,188.166.94.214,188.168.34.90,188.172.153.42,188.174.161.111,188.174.172.50,188.174.178.230,188.181.93.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522502; rev:3093;)
alert ip [188.192.145.3,188.192.156.190,188.192.196.221,188.192.245.163,188.193.109.132,188.193.21.38,188.193.233.73,188.193.2.6,188.194.123.108,188.194.93.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522504; rev:3093;)
alert ip [188.195.172.223,188.195.173.25,188.195.52.10,18.82.0.86,18.82.1.29,188.213.170.104,188.213.28.222,188.213.49.133,188.213.49.55,188.214.128.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 254"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522506; rev:3093;)
alert ip [188.214.128.64,188.214.129.21,188.214.30.153,188.214.30.159,188.214.30.220,188.214.30.98,188.221.111.222,188.221.78.241,188.222.106.239,188.226.130.88] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 255"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522508; rev:3093;)
alert ip [188.226.148.15,188.226.149.124,188.226.221.243,188.226.222.19,188.226.237.154,188.226.247.86,188.226.71.132,188.227.201.133,188.230.91.173,18.82.3.136] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 256"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522510; rev:3093;)
alert ip [18.82.3.196,18.82.3.205,188.240.208.219,188.240.208.89,188.241.58.10,188.242.134.102,188.243.225.14,188.243.26.62,188.243.68.220,188.243.99.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 257"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522512; rev:3093;)
alert ip [188.244.43.25,188.246.204.67,188.25.182.181,188.25.243.6,188.32.115.6,188.32.242.244,188.36.77.241,188.40.100.199,188.40.107.205,188.40.109.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522514; rev:3093;)
alert ip [188.40.110.214,188.40.128.246,188.40.140.87,188.40.159.122,188.40.166.29,188.40.206.5,188.40.235.215,188.40.248.57,188.40.41.115,188.40.44.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 259"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522516; rev:3093;)
alert ip [188.40.49.86,188.40.51.232,188.40.76.115,188.40.91.87,188.4.217.205,188.42.216.83,188.42.253.7,188.42.254.47,188.64.45.105,188.68.33.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 260"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522518; rev:3093;)
alert ip [188.68.36.209,188.68.57.188,188.77.220.152,188.78.204.44,188.93.213.75,188.97.167.239,188.98.6.187,188.98.6.93,188.99.61.195,189.124.193.119] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 261"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522520; rev:3093;)
alert ip [189.207.214.180,189.60.72.157,189.62.119.168,190.10.8.152,190.10.8.68,190.111.29.98,190.1.228.61,190.123.47.116,190.156.200.202,190.17.26.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 262"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522522; rev:3093;)
alert ip [190.17.6.56,190.210.98.90,190.22.73.183,190.56.60.64,190.97.165.141,191.101.31.84,191.176.234.122,191.178.250.236,191.191.97.145,191.34.135.65] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 263"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522524; rev:3093;)
alert ip [192.110.160.146,192.111.150.62,192.124.250.83,192.155.83.101,192.155.95.222,192.157.239.243,192.161.235.132,192.162.133.3,192.162.141.53,192.162.26.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522526; rev:3093;)
alert ip [192.162.26.38,192.162.26.42,192.163.224.51,192.165.67.254,192.166.218.151,192.166.218.216,192.166.219.194,192.169.166.157,192.169.168.39,192.171.61.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 265"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522528; rev:3093;)
alert ip [192.173.158.64,192.184.81.160,192.184.82.128,192.184.85.92,192.187.126.204,192.195.83.134,192.210.192.229,192.210.203.16,192.211.49.217,192.222.191.249] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 266"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522530; rev:3093;)
alert ip [192.222.248.192,192.227.143.25,192.227.243.249,192.228.204.196,192.240.123.2,192.241.134.62,192.241.148.108,192.241.153.159,192.241.180.163,192.241.180.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522532; rev:3093;)
alert ip [192.241.187.237,192.241.189.130,192.241.195.178,192.241.197.81,192.241.206.171,192.241.210.101,192.241.216.120,192.241.233.203,192.249.63.151,192.30.32.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 268"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522534; rev:3093;)
alert ip [192.3.148.27,192.3.239.245,192.33.193.24,192.36.27.6,192.36.27.7,192.36.38.33,192.42.113.102,192.42.115.101,192.42.115.102,192.42.116.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522536; rev:3093;)
alert ip [192.44.30.40,192.52.167.70,192.52.167.71,192.52.183.232,192.52.2.49,192.71.245.137,192.71.245.36,192.81.132.46,192.81.214.126,192.81.217.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 270"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522538; rev:3093;)
alert ip [192.81.218.137,192.81.250.118,192.87.28.28,192.87.28.82,192.95.22.146,192.95.25.202,192.95.27.143,192.99.10.202,192.99.13.48,192.99.154.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522540; rev:3093;)
alert ip [192.99.246.101,192.99.54.179,192.99.54.193,192.99.54.5,192.99.57.111,192.99.59.70,192.99.6.28,192.99.63.44,192.99.69.17,192.99.9.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522542; rev:3093;)
alert ip [193.0.213.42,193.104.220.35,193.104.220.54,193.104.254.166,193.105.134.42,193.105.134.56,193.105.134.57,193.10.5.153,193.105.73.80,193.106.166.105] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522544; rev:3093;)
alert ip [193.108.249.215,193.11.112.188,193.111.140.153,193.111.141.160,193.11.114.43,193.11.114.45,193.11.114.46,193.11.114.69,193.111.26.37,193.11.164.243] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522546; rev:3093;)
alert ip [193.11.166.194,193.124.182.191,193.124.191.59,193.138.118.8,193.138.118.94,193.150.121.78,193.150.14.60,193.165.137.202,193.165.189.6,193.183.98.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522548; rev:3093;)
alert ip [193.190.168.51,193.190.168.53,193.19.118.171,193.200.241.195,193.224.163.43,193.227.196.10,193.228.143.17,193.228.143.225,193.23.244.244,193.233.60.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522550; rev:3093;)
alert ip [193.233.60.90,193.24.209.70,193.35.52.53,193.37.152.133,193.37.152.199,193.42.156.106,193.70.112.165,193.70.15.58,193.70.38.152,193.70.39.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 277"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522552; rev:3093;)
alert ip [193.70.43.102,193.70.43.20,193.70.43.76,193.70.73.242,193.70.90.199,193.7.177.223,194.104.0.100,194.109.206.212,194.1.238.115,194.126.175.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522554; rev:3093;)
alert ip [194.150.168.108,194.187.205.151,194.187.207.21,194.187.207.45,194.187.249.116,194.42.108.5,194.63.139.230,194.67.214.123,194.67.219.154,194.88.143.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 279"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522556; rev:3093;)
alert ip [194.96.126.205,195.113.199.99,195.12.190.38,195.123.209.96,195.123.210.38,195.12.48.109,195.12.48.212,195.12.48.76,195.12.48.77,195.12.48.78] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 280"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522558; rev:3093;)
alert ip [195.133.48.81,195.13.50.211,195.148.124.199,195.154.162.172,195.154.163.119,195.154.164.243,195.154.164.34,195.154.165.64,195.154.171.24,195.154.177.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522560; rev:3093;)
alert ip [195.154.181.146,195.154.200.129,195.154.209.91,195.154.221.65,195.154.226.249,195.154.235.34,195.154.237.147,195.154.240.145,195.154.241.125,195.154.242.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 282"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522562; rev:3093;)
alert ip [195.154.250.239,195.154.251.25,195.154.252.88,195.154.253.226,195.154.255.174,195.16.89.145,195.169.125.226,195.170.63.164,195.176.247.88,195.180.11.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522564; rev:3093;)
alert ip [195.181.208.180,195.181.211.88,195.181.223.225,195.181.246.187,195.191.158.17,195.191.233.221,195.200.236.197,195.216.94.52,195.22.127.160,195.225.211.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 284"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522566; rev:3093;)
alert ip [195.228.75.149,195.230.168.83,195.234.152.86,195.238.190.101,195.251.252.226,195.28.182.237,195.30.107.220,195.42.115.162,195.62.52.120,195.62.53.196] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522568; rev:3093;)
alert ip [195.71.68.84,195.88.208.149,195.91.211.69,195.91.244.98,198.100.144.33,198.100.147.184,198.100.148.112,198.100.148.146,198.101.8.214,198.105.223.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 286"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522570; rev:3093;)
alert ip [198.12.118.14,198.147.22.82,198.148.81.167,198.154.106.54,198.167.223.44,198.199.118.134,198.199.64.217,198.199.90.205,198.204.240.82,198.211.104.110] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522572; rev:3093;)
alert ip [198.211.120.25,198.211.124.214,198.211.125.242,198.23.161.150,198.233.204.165,198.244.104.174,198.245.50.175,198.245.50.57,198.252.121.79,198.255.94.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 288"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522574; rev:3093;)
alert ip [198.27.109.36,198.27.191.62,198.27.64.215,198.27.66.209,198.27.69.201,198.27.80.201,198.27.86.221,198.46.153.51,198.48.130.25,198.50.128.229] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 289"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522576; rev:3093;)
alert ip [198.50.128.234,198.50.135.213,198.50.146.252,198.50.147.70,198.50.191.95,198.50.236.124,198.51.75.52,198.58.102.234,198.58.110.223,198.71.81.66] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 290"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522578; rev:3093;)
alert ip [198.72.229.35,198.74.56.191,198.74.57.57,198.74.60.26,198.74.61.51,198.96.155.9,198.98.50.212,198.98.62.56,199.115.205.248,199.15.250.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 291"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522580; rev:3093;)
alert ip [199.175.49.147,199.181.238.127,199.184.246.250,199.188.194.53,199.189.62.251,199.19.213.176,199.195.249.221,199.19.85.252,199.200.15.10,199.231.85.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 292"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522582; rev:3093;)
alert ip [199.241.29.223,199.254.238.53,199.255.223.88,200.122.181.15,200.73.251.82,200.8.206.216,201.17.58.90,201.214.174.246,202.129.80.154,202.53.47.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 293"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522584; rev:3093;)
alert ip [203.141.154.202,203.186.69.98,203.206.25.146,203.220.189.110,203.7.77.255,204.13.164.110,204.152.220.247,204.152.220.248,204.186.244.66,204.27.63.234] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522586; rev:3093;)
alert ip [204.44.75.210,204.83.204.143,204.9.50.25,205.178.25.71,205.185.124.82,205.204.69.19,206.174.113.156,206.192.252.17,206.221.184.158,206.223.203.129] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522588; rev:3093;)
alert ip [206.248.134.68,206.40.118.229,206.55.74.1,206.63.229.144,207.154.208.184,207.154.208.75,207.154.217.3,207.154.226.140,207.154.239.150,207.154.248.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 296"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522590; rev:3093;)
alert ip [207.181.237.93,207.236.124.177,207.244.75.198,207.6.121.227,208.113.133.247,208.113.165.162,208.113.166.5,208.118.235.48,208.38.243.107,208.64.220.46] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 297"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522592; rev:3093;)
alert ip [208.79.209.124,208.80.154.39,208.83.223.34,208.94.242.26,208.95.3.28,209.102.247.122,209.126.71.233,209.141.34.240,209.141.35.232,209.141.36.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 298"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522594; rev:3093;)
alert ip [209.141.40.22,209.141.49.38,209.141.50.138,209.141.52.13,209.141.60.229,209.171.163.168,209.181.61.219,209.197.145.194,209.208.79.5,209.240.109.238] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 299"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522596; rev:3093;)
alert ip [209.44.114.178,209.58.160.138,209.58.178.49,209.58.180.90,209.6.79.180,209.90.224.5,209.95.48.163,210.1.204.177,210.152.241.60,210.185.115.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 300"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522598; rev:3093;)
alert ip [210.223.103.24,210.3.102.154,210.3.102.165,2.104.52.160,210.54.35.24,2.110.219.47,2.110.60.68,212.10.111.106,212.10.111.112,212.10.153.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522600; rev:3093;)
alert ip [212.107.138.107,212.110.189.186,212.111.40.177,212.111.41.143,212.114.228.30,212.117.180.107,212.117.180.33,212.117.180.45,212.119.243.30,212.129.0.231] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 302"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522602; rev:3093;)
alert ip [212.129.19.196,212.129.34.13,212.129.42.9,212.129.4.84,212.129.49.59,212.129.62.232,212.159.100.232,212.159.112.196,212.159.177.198,212.159.79.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522604; rev:3093;)
alert ip [212.16.170.158,212.17.102.77,212.181.206.122,212.186.197.229,212.186.71.38,212.186.79.250,212.187.200.170,212.198.84.177,212.201.68.152,212.224.76.148] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522606; rev:3093;)
alert ip [212.224.78.234,212.224.95.161,212.224.95.231,212.227.8.137,212.232.29.101,212.237.35.67,212.237.56.227,212.238.160.33,212.238.208.48,212.24.104.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 305"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522608; rev:3093;)
alert ip [212.24.105.154,212.24.106.116,212.24.110.13,212.24.111.7,212.251.211.254,212.3.112.226,212.47.227.58,212.47.227.71,212.47.227.75,212.47.229.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 306"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522610; rev:3093;)
alert ip [212.47.229.2,212.47.230.49,212.47.230.5,212.47.231.241,212.47.232.236,212.47.232.3,212.47.233.134,212.47.233.235,212.47.233.45,212.47.233.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522612; rev:3093;)
alert ip [212.47.234.192,212.47.234.212,212.47.235.80,212.47.236.95,212.47.237.191,212.47.237.32,212.47.238.193,212.47.238.65,212.47.239.101,212.47.239.151] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 308"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522614; rev:3093;)
alert ip [212.47.239.163,212.47.239.187,212.47.239.83,212.47.240.10,212.47.240.189,212.47.241.21,212.47.243.166,212.47.244.114,212.47.244.38,212.47.244.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 309"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522616; rev:3093;)
alert ip [212.47.245.76,212.47.246.18,212.47.246.211,212.47.246.229,212.47.248.10,212.47.248.113,212.47.250.57,212.47.252.91,212.50.120.191,212.51.134.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522618; rev:3093;)
alert ip [212.51.139.25,212.51.143.146,212.51.143.20,212.51.147.191,212.51.150.184,212.51.151.250,212.51.156.224,212.51.156.78,212.51.159.148,212.60.126.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 311"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522620; rev:3093;)
alert ip [212.60.130.72,212.69.166.122,212.71.253.226,212.7.217.52,212.74.233.18,212.74.233.21,212.74.254.243,212.83.143.46,212.83.154.33,212.83.158.20] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 312"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522622; rev:3093;)
alert ip [212.83.158.5,212.83.165.54,212.83.174.26,212.83.176.58,212.86.53.174,212.89.225.242,212.96.63.171,213.108.108.235,213.109.56.200,213.112.199.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 313"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522624; rev:3093;)
alert ip [213.113.116.117,213.113.214.106,213.113.52.10,213.114.144.249,213.114.154.207,213.114.155.106,213.114.226.17,213.114.231.7,213.124.169.159,213.124.179.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 314"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522626; rev:3093;)
alert ip [213.131.6.186,213.133.99.156,213.135.198.106,213.136.71.21,213.136.77.251,213.136.80.109,213.136.81.89,213.136.82.192,213.136.94.10,213.137.18.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 315"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522628; rev:3093;)
alert ip [213.138.100.68,213.138.102.209,213.138.109.144,213.138.113.232,213.140.92.199,213.141.138.174,213.141.150.19,213.144.146.77,213.144.157.75,213.152.161.30] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 316"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522630; rev:3093;)
alert ip [213.152.161.40,213.153.84.215,213.157.15.235,213.162.132.85,213.163.70.234,213.167.242.183,213.169.148.151,213.17.124.178,213.183.48.84,213.183.56.140] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 317"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522632; rev:3093;)
alert ip [213.184.126.2,213.184.126.242,213.184.127.226,213.188.245.139,213.195.109.234,213.197.22.124,213.202.233.36,213.202.247.35,213.21.26.171,213.21.26.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 318"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522634; rev:3093;)
alert ip [213.226.180.166,213.233.226.123,213.239.197.25,213.239.205.239,213.239.211.41,213.239.212.20,213.239.216.222,213.239.217.18,213.239.217.68,213.239.249.71] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522636; rev:3093;)
alert ip [213.243.172.46,213.246.56.79,213.246.56.95,213.251.226.175,213.254.32.26,213.32.119.219,213.32.21.55,213.32.241.238,213.32.55.195,213.32.66.192] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 320"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522638; rev:3093;)
alert ip [213.32.68.101,213.32.90.15,213.45.170.44,213.47.176.238,213.64.65.106,213.66.28.170,2.137.20.68,213.73.99.182,213.89.134.172,2.139.216.169] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 321"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522640; rev:3093;)
alert ip [213.93.31.148,213.95.86.180,213.99.222.33,216.12.171.170,216.127.173.78,216.127.187.29,216.158.226.216,216.185.144.100,216.19.178.143,216.195.133.27] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 322"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522642; rev:3093;)
alert ip [216.218.222.10,216.218.222.14,216.24.174.245,216.24.242.34,216.244.85.211,216.252.162.19,216.51.232.227,216.55.181.21,217.103.193.83,217.106.239.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522644; rev:3093;)
alert ip [217.107.193.10,217.112.131.24,217.112.131.98,217.113.158.52,217.115.127.58,217.11.57.226,217.117.227.226,217.12.199.108,217.12.199.190,217.12.199.208] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 324"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522646; rev:3093;)
alert ip [217.12.202.111,217.12.202.116,217.12.202.40,217.12.202.53,217.12.202.58,217.12.203.46,217.12.204.120,217.12.204.149,217.12.204.174,217.12.208.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522648; rev:3093;)
alert ip [217.12.210.207,217.12.210.95,217.122.175.19,217.12.223.214,217.12.223.215,217.12.223.216,217.12.223.217,217.12.223.218,217.147.214.107,217.150.227.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 326"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522650; rev:3093;)
alert ip [217.155.10.18,217.155.40.118,217.160.13.173,217.160.141.52,217.160.15.247,217.160.178.10,217.172.172.8,217.172.190.251,217.182.102.242,217.182.231.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 327"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522652; rev:3093;)
alert ip [217.182.73.4,217.182.75.181,217.182.75.36,217.182.85.154,217.182.86.44,217.182.90.137,217.182.94.173,217.197.240.244,217.197.83.162,217.197.86.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 328"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522654; rev:3093;)
alert ip [217.197.91.145,217.20.112.213,217.20.130.72,217.209.179.202,217.210.64.254,217.22.141.89,217.224.41.172,217.228.210.7,217.23.15.200,217.235.159.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 329"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522656; rev:3093;)
alert ip [217.235.69.101,217.235.76.75,217.23.7.103,217.238.228.212,217.238.239.185,217.249.80.63,217.251.89.171,217.63.200.51,217.64.127.174,217.69.144.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 330"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522658; rev:3093;)
alert ip [217.79.178.60,217.79.179.177,217.79.182.95,217.79.190.25,217.81.247.55,217.84.98.50,217.85.173.59,217.85.180.233,217.8.61.67,217.86.254.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522660; rev:3093;)
alert ip [217.86.26.49,217.87.104.63,217.92.54.146,217.95.26.97,2.190.11.52,219.111.151.219,219.117.206.46,219.117.241.101,220.135.161.179,220.233.123.172] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522662; rev:3093;)
alert ip [220.240.152.221,220.240.80.150,220.253.12.10,221.121.153.184,221.39.78.201,222.10.49.182,222.12.87.83,222.152.75.99,2.225.231.92,2.230.164.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522664; rev:3093;)
alert ip [223.16.90.167,223.197.177.165,223.197.177.49,2.234.130.233,2.235.216.169,2.236.9.67,2.242.70.119,23.105.70.174,2.31.69.65,23.226.231.158] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 334"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522666; rev:3093;)
alert ip [23.227.199.226,23.235.4.101,23.236.50.86,23.239.10.144,23.239.113.101,23.239.145.125,23.239.22.19,23.239.2.7,23.239.27.28,23.239.30.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 335"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522668; rev:3093;)
alert ip [23.240.32.151,23.244.69.180,23.253.57.42,23.254.128.38,23.254.165.250,23.254.166.222,23.254.167.231,23.81.66.90,23.91.124.124,23.92.138.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522670; rev:3093;)
alert ip [23.92.19.113,23.92.21.74,23.92.222.214,23.92.83.233,23.95.113.5,23.97.172.229,24.108.240.199,24.117.231.229,24.130.221.118,24.130.248.235] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 337"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522672; rev:3093;)
alert ip [24.14.136.134,24.147.89.4,24.148.59.185,24.151.1.51,24.154.185.97,24.157.146.7,24.163.106.7,24.17.211.5,24.209.62.187,24.21.143.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 338"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522674; rev:3093;)
alert ip [24.2.216.29,24.22.246.162,24.22.64.232,24.248.203.49,24.30.59.18,24.3.140.142,24.35.77.155,24.40.143.53,24.54.152.124,24.61.42.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522676; rev:3093;)
alert ip [24.6.174.94,24.71.168.153,24.77.115.137,24.80.227.241,24.85.72.185,24.8.76.174,24.96.173.104,24.98.72.86,2.7.154.187,27.50.87.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 340"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522678; rev:3093;)
alert ip [27.64.121.247,2.92.133.8,2.93.9.1,31.129.166.78,31.130.48.109,31.132.156.136,31.135.243.138,31.14.138.27,31.15.66.218,31.16.110.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 341"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522680; rev:3093;)
alert ip [31.16.53.18,31.170.105.77,31.170.82.41,31.171.155.102,31.171.155.103,31.171.155.108,31.171.155.29,31.171.244.193,31.17.179.130,31.178.139.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 342"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522682; rev:3093;)
alert ip [31.179.132.42,31.179.24.189,31.18.14.162,31.18.152.33,31.184.198.152,31.184.198.183,31.192.174.73,31.192.204.204,31.201.243.214,31.204.128.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 343"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522684; rev:3093;)
alert ip [31.207.227.140,31.208.41.41,31.208.8.205,31.209.52.65,31.214.157.83,31.220.45.216,31.220.7.143,31.28.168.174,31.31.73.200,31.31.73.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522686; rev:3093;)
alert ip [31.31.74.177,31.31.74.47,31.31.77.176,31.31.78.49,31.41.219.228,31.43.129.239,31.47.252.177,31.54.71.247,31.7.186.142,34.201.82.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 345"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522688; rev:3093;)
alert ip [34.202.25.15,34.214.31.61,34.250.125.1,34.250.46.74,34.251.131.79,34.251.231.72,34.251.248.90,35.157.59.169,35.163.47.243,35.164.117.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 346"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522690; rev:3093;)
alert ip [35.164.54.193,35.188.143.6,35.188.21.171,35.190.152.35,35.202.23.233,36.55.243.60,37.113.173.117,37.120.104.214,37.120.160.12,37.120.166.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 347"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522692; rev:3093;)
alert ip [37.120.169.95,37.120.172.242,37.120.173.146,37.120.174.249,37.120.178.124,37.120.178.6,37.120.184.45,37.120.185.98,37.120.8.167,37.122.208.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 348"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522694; rev:3093;)
alert ip [37.123.113.29,37.134.197.41,37.139.24.90,37.14.196.72,37.145.226.109,37.147.101.131,37.15.122.94,37.153.1.10,37.153.16.134,37.157.195.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 349"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522696; rev:3093;)
alert ip [37.157.195.87,37.157.196.142,37.187.0.83,37.187.101.179,37.187.101.180,37.187.102.108,37.187.102.186,37.187.102.202,37.187.103.156,37.187.104.111] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 350"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522698; rev:3093;)
alert ip [37.187.104.178,37.187.105.65,37.187.105.68,37.187.107.91,37.187.110.237,37.187.111.205,37.187.112.64,37.187.115.157,37.187.115.47,37.187.120.37] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 351"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522700; rev:3093;)
alert ip [37.187.1.29,37.187.130.226,37.187.16.175,37.187.16.43,37.187.176.64,37.187.17.67,37.187.177.2,37.187.180.112,37.187.180.18,37.187.180.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 352"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522702; rev:3093;)
alert ip [37.187.20.59,37.187.20.79,37.187.21.157,37.187.21.28,37.187.22.131,37.187.2.230,37.187.22.87,37.187.23.169,37.187.23.232,37.187.239.8] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 353"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522704; rev:3093;)
alert ip [37.187.30.2,37.187.30.78,37.187.3.106,37.187.31.39,37.187.4.8,37.187.4.81,37.187.51.225,37.187.72.24,37.187.78.210,37.187.90.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522706; rev:3093;)
alert ip [37.187.90.149,37.187.96.183,37.187.96.78,37.187.96.84,37.187.97.31,37.187.97.95,37.187.98.185,37.187.99.84,37.191.156.74,37.191.160.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522708; rev:3093;)
alert ip [37.191.229.34,37.191.234.150,37.193.70.65,37.200.98.117,37.200.99.251,37.201.127.126,37.201.135.18,37.201.175.13,37.201.46.246,37.205.11.149] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 356"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522710; rev:3093;)
alert ip [37.205.8.191,37.205.9.131,37.209.119.10,37.218.247.217,37.220.18.41,37.221.162.226,37.221.171.234,37.221.196.137,37.221.196.31,37.221.198.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 357"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522712; rev:3093;)
alert ip [37.221.213.59,37.228.129.56,37.228.134.103,37.229.212.29,37.230.119.37,37.233.99.157,37.235.48.247,37.235.49.124,37.235.49.138,37.235.49.34] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 358"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522714; rev:3093;)
alert ip [37.235.52.67,37.235.55.83,37.235.56.180,37.235.60.77,37.24.229.143,37.247.49.139,37.252.185.87,37.252.190.176,37.35.107.238,37.4.236.212] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 359"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522716; rev:3093;)
alert ip [37.48.120.47,37.48.122.22,37.48.71.227,37.48.83.229,37.58.57.231,37.59.102.148,37.59.107.185,37.59.118.7,37.59.119.118,37.59.125.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522718; rev:3093;)
alert ip [37.59.127.105,37.59.29.31,37.59.37.59,37.59.39.161,37.59.40.193,37.59.51.217,37.59.72.132,37.61.209.150,37.8.236.184,37.97.185.116] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 361"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522720; rev:3093;)
alert ip [37.97.202.76,38.131.227.141,38.229.70.51,38.229.70.52,38.229.70.53,38.229.70.54,38.229.70.61,38.229.79.2,40.134.93.214,40.83.147.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 362"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522722; rev:3093;)
alert ip [42.112.16.193,42.112.16.194,42.112.16.198,42.112.16.200,42.112.16.42,42.112.20.116,42.124.36.252,43.231.114.52,43.240.12.58,43.252.37.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 363"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522724; rev:3093;)
alert ip [43.255.32.133,45.123.118.101,45.20.67.1,45.249.61.131,45.249.61.132,45.249.90.26,45.32.117.1,45.32.146.85,45.32.151.73,45.32.154.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522726; rev:3093;)
alert ip [45.32.158.56,45.32.167.8,45.32.171.227,45.32.195.199,45.32.207.172,45.32.219.222,45.32.234.214,45.32.238.101,45.32.240.31,45.32.245.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 365"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522728; rev:3093;)
alert ip [45.32.246.15,45.32.250.46,45.32.30.178,45.32.31.42,45.32.36.228,45.32.40.253,45.33.100.121,45.33.111.116,45.33.121.242,45.33.124.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 366"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522730; rev:3093;)
alert ip [45.33.34.211,45.33.60.105,45.33.60.47,45.33.75.28,45.33.83.135,45.33.90.50,45.34.143.4,45.35.72.85,45.50.173.159,45.50.77.52] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 367"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522732; rev:3093;)
alert ip [45.55.108.110,45.55.12.23,45.55.129.39,45.55.167.33,45.55.182.63,45.55.19.132,45.55.194.175,45.55.236.19,45.55.8.14,45.56.76.112] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 368"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522734; rev:3093;)
alert ip [45.56.89.8,45.56.99.84,45.58.192.155,45.58.49.251,45.58.60.127,45.62.116.32,45.62.211.6,45.62.233.205,45.62.235.202,45.62.235.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 369"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522736; rev:3093;)
alert ip [45.62.235.44,45.62.243.158,45.62.243.36,45.63.14.225,45.63.24.140,45.63.24.164,45.63.25.179,45.63.25.235,45.63.26.48,45.63.28.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 370"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522738; rev:3093;)
alert ip [45.63.67.113,45.63.77.230,45.63.8.229,45.63.89.53,45.63.9.89,45.76.10.133,45.76.107.140,45.76.119.205,45.76.131.160,45.76.140.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 371"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522740; rev:3093;)
alert ip [45.76.142.198,45.76.149.112,45.76.177.51,45.76.192.217,45.76.196.74,45.76.26.158,45.76.32.13,45.76.39.74,45.76.42.132,45.76.42.26] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 372"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522742; rev:3093;)
alert ip [45.76.5.206,45.76.6.23,45.76.80.29,45.76.82.223,45.76.86.86,45.76.89.215,45.76.92.117,45.76.94.126,45.76.94.181,45.76.95.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 373"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522744; rev:3093;)
alert ip [45.77.0.145,45.77.114.107,45.77.53.109,45.77.56.54,45.77.61.195,45.77.62.230,45.77.64.193,45.77.66.39,45.79.106.154,45.79.106.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 374"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522746; rev:3093;)
alert ip [45.79.108.96,45.79.109.55,45.79.138.8,45.79.181.153,45.79.184.114,45.79.189.111,45.79.218.205,45.79.67.237,45.79.76.174,45.79.84.186] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522748; rev:3093;)
alert ip [45.79.85.112,45.79.88.43,45.79.89.133,45.79.92.94,45.79.95.244,45.79.99.101,46.101.100.94,46.101.101.102,46.101.102.71,46.101.104.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 376"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522750; rev:3093;)
alert ip [46.101.131.100,46.101.141.15,46.101.142.174,46.101.149.105,46.101.151.222,46.101.152.147,46.101.169.151,46.101.170.138,46.101.183.160,46.101.192.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522752; rev:3093;)
alert ip [46.101.216.71,46.101.220.187,46.101.231.44,46.101.37.23,46.101.6.132,46.101.9.51,46.101.98.130,46.105.121.81,46.105.123.162,46.105.185.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 378"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522754; rev:3093;)
alert ip [46.105.227.109,46.105.63.44,46.105.84.178,46.105.95.112,46.124.76.233,46.127.12.33,46.127.20.181,46.127.31.29,46.127.3.164,46.128.114.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 379"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522756; rev:3093;)
alert ip [46.128.251.202,46.128.34.32,46.128.60.60,46.128.6.254,46.142.48.128,46.144.166.250,46.148.18.34,46.148.212.113,46.151.27.101,46.161.146.75] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 380"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522758; rev:3093;)
alert ip [46.162.192.166,46.163.76.170,46.163.78.14,46.163.81.190,46.164.242.169,46.165.197.96,46.165.221.166,46.165.221.207,46.165.242.166,46.165.250.224] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522760; rev:3093;)
alert ip [46.165.253.180,46.165.254.40,46.166.162.34,46.166.165.118,46.166.165.129,46.166.165.57,46.166.165.87,46.166.167.46,46.167.245.43,46.167.245.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 382"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522762; rev:3093;)
alert ip [46.173.38.149,46.17.42.50,46.17.63.214,46.182.132.129,46.182.142.222,46.182.18.111,46.182.18.223,46.182.18.245,46.182.19.151,46.182.208.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 383"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522764; rev:3093;)
alert ip [46.188.4.37,46.188.44.25,46.19.137.186,46.19.143.139,46.20.246.119,46.20.35.114,46.208.95.155,46.21.144.10,46.21.147.19,46.219.2.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 384"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522766; rev:3093;)
alert ip [46.22.209.99,46.22.212.230,46.227.96.218,46.228.18.237,46.229.238.172,46.23.70.195,46.23.72.81,46.238.12.208,46.23.85.31,46.239.108.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522768; rev:3093;)
alert ip [46.242.3.30,46.244.143.143,46.246.26.104,46.246.39.219,46.246.93.70,46.249.27.184,46.249.37.109,46.249.37.143,46.251.85.30,46.252.26.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522770; rev:3093;)
alert ip [46.28.109.231,46.28.110.219,46.28.110.244,46.28.204.20,46.28.205.187,46.28.205.75,46.28.207.107,46.28.207.69,46.28.64.234,46.28.68.150] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 387"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522772; rev:3093;)
alert ip [46.28.68.157,46.28.69.53,46.29.248.136,46.36.39.134,46.38.231.209,46.38.233.242,46.38.234.158,46.38.237.221,46.38.241.16,46.38.250.39] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 388"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522774; rev:3093;)
alert ip [46.38.251.194,46.38.48.225,46.38.51.18,46.39.102.250,46.39.183.60,46.39.227.136,46.39.251.87,46.39.253.63,46.4.0.89,46.4.103.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 389"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522776; rev:3093;)
alert ip [46.4.111.124,46.41.132.84,46.4.122.173,46.4.124.165,46.4.125.2,46.4.144.81,46.41.59.223,46.4.174.52,46.4.183.122,46.4.25.214] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522778; rev:3093;)
alert ip [46.4.253.194,46.4.34.242,46.43.50.92,46.4.40.67,46.4.49.201,46.4.57.151,46.4.58.90,46.4.77.210,46.4.78.3,46.4.81.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 391"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522780; rev:3093;)
alert ip [46.5.233.143,46.59.151.24,46.59.156.138,46.59.209.134,46.59.219.11,46.59.220.98,46.59.72.157,46.59.99.37,46.6.100.154,46.6.79.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 392"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522782; rev:3093;)
alert ip [46.6.82.38,46.7.12.146,46.72.216.20,46.7.90.69,46.83.59.214,46.83.63.158,46.84.27.129,46.84.64.91,46.84.66.213,46.87.74.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522784; rev:3093;)
alert ip [46.91.217.213,46.9.195.188,46.93.224.82,46.93.90.218,47.150.71.57,47.151.150.13,47.152.227.184,47.154.80.129,47.184.12.62,47.211.130.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 394"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522786; rev:3093;)
alert ip [47.21.17.46,47.33.13.234,47.34.248.45,47.36.210.167,47.40.229.162,47.52.119.59,47.55.183.10,47.89.178.105,47.89.179.48,47.89.185.247] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 395"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522788; rev:3093;)
alert ip [47.89.191.36,47.89.22.90,47.90.204.139,47.90.204.154,49.212.166.38,50.0.60.210,50.111.33.100,50.116.10.242,50.116.21.172,50.116.39.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 396"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522790; rev:3093;)
alert ip [50.116.40.6,50.116.47.139,50.116.48.133,50.116.49.46,50.116.5.153,50.116.56.48,50.116.7.64,50.193.143.42,50.193.202.38,50.1.99.207] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522792; rev:3093;)
alert ip [50.244.200.221,50.31.252.11,50.31.252.43,50.38.36.6,50.53.113.124,50.65.176.4,50.66.85.45,50.7.115.12,50.7.115.67,50.7.116.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 398"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522794; rev:3093;)
alert ip [50.7.151.127,50.7.151.32,50.7.151.47,50.7.176.2,50.7.177.26,50.7.178.146,50.7.178.34,50.7.178.98,50.7.179.202,50.7.179.251] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 399"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522796; rev:3093;)
alert ip [50.7.184.58,50.7.186.38,50.74.108.76,50.76.49.97,50.7.74.171,50.7.74.172,50.89.199.56,5.101.102.82,5.101.103.70,5.10.178.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 400"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522798; rev:3093;)
alert ip [5.104.106.38,5.104.90.29,51.141.6.250,51.15.11.64,51.15.128.190,51.15.129.69,51.15.130.249,51.15.130.76,51.15.131.121,51.15.131.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 401"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522800; rev:3093;)
alert ip [51.15.13.245,51.15.133.16,51.15.135.5,51.15.137.146,51.15.137.183,51.15.138.145,51.15.139.200,51.15.141.181,51.15.142.10,51.15.142.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 402"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522802; rev:3093;)
alert ip [51.15.143.126,51.15.143.178,51.15.143.20,51.15.143.239,51.15.166.221,51.15.171.97,51.15.177.148,51.15.193.126,51.15.3.40,51.15.34.125] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 403"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522804; rev:3093;)
alert ip [51.15.34.165,51.15.36.164,51.15.36.183,51.15.36.42,51.15.37.171,51.15.37.252,51.15.37.97,51.15.38.13,51.15.38.131,51.15.39.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522806; rev:3093;)
alert ip [51.15.39.65,51.15.40.11,51.15.4.10,51.15.41.61,51.15.42.19,51.15.44.251,51.15.44.54,51.15.4.55,51.15.45.92,51.15.46.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 405"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522808; rev:3093;)
alert ip [51.15.46.240,51.15.46.45,51.15.46.47,51.15.47.17,51.15.47.62,51.15.48.254,51.15.49.157,51.15.49.8,51.15.50.109,51.15.50.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 406"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522810; rev:3093;)
alert ip [51.15.51.7,51.15.52.120,51.15.52.244,51.15.53.199,51.15.53.75,51.15.54.132,51.15.54.182,51.15.55.114,51.15.56.101,51.15.56.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 407"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522812; rev:3093;)
alert ip [51.15.56.123,51.15.56.40,51.15.58.152,51.15.58.212,51.15.59.29,51.15.60.102,51.15.60.93,51.15.61.46,51.15.61.7,51.15.62.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 408"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522814; rev:3093;)
alert ip [51.15.62.52,51.15.65.104,51.15.66.23,51.15.66.75,51.15.67.196,51.15.67.36,51.15.67.77,51.15.68.208,51.15.69.160,51.15.69.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 409"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522816; rev:3093;)
alert ip [51.15.69.92,51.15.71.243,51.15.71.41,51.15.72.156,51.15.72.209,51.15.72.230,51.15.72.253,51.15.73.133,51.15.73.178,51.15.74.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 410"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522818; rev:3093;)
alert ip [51.15.76.141,51.15.76.56,51.15.77.102,51.15.77.244,51.15.77.25,51.15.78.0,51.15.78.99,51.15.8.23,51.15.9.100,5.11.66.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 411"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522820; rev:3093;)
alert ip [51.174.197.117,51.175.193.142,51.175.4.172,51.175.50.162,51.175.64.222,5.12.14.91,51.254.101.176,51.254.101.242,51.254.115.225,51.254.120.82] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 412"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522822; rev:3093;)
alert ip [51.254.124.210,51.254.131.226,51.254.135.213,51.254.136.195,51.254.164.50,51.254.202.160,51.254.209.197,51.254.218.247,51.254.220.21,51.254.221.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 413"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522824; rev:3093;)
alert ip [51.254.35.151,51.254.38.249,51.254.45.43,51.255.113.29,51.255.168.229,51.255.169.10,51.255.175.53,51.255.198.77,51.255.203.235,51.255.206.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 414"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522826; rev:3093;)
alert ip [51.255.211.235,51.255.39.110,51.255.40.231,51.255.41.65,51.255.41.91,51.255.44.183,51.255.48.78,51.255.50.238,51.255.50.60,51.255.75.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 415"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522828; rev:3093;)
alert ip [51.255.95.102,5.13.235.160,5.135.115.34,5.135.145.195,5.135.152.143,5.135.152.66,5.135.155.121,5.135.159.128,5.135.162.217,5.135.162.49] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 416"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522830; rev:3093;)
alert ip [5.135.163.78,5.135.176.38,5.135.178.184,5.135.181.213,5.135.182.130,5.135.184.24,5.135.185.145,5.135.186.73,5.135.188.128,5.135.191.185] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 417"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522832; rev:3093;)
alert ip [5.135.199.13,5.135.234.164,5.135.43.38,5.135.65.145,5.141.9.164,5.141.95.84,5.145.46.166,5.146.129.127,5.147.113.133,5.147.125.93] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 418"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522834; rev:3093;)
alert ip [5.147.152.177,5.147.172.122,5.147.248.158,5.148.175.35,5.148.180.48,5.150.221.137,5.150.233.239,5.15.205.85,51.52.35.169,5.158.176.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 419"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522836; rev:3093;)
alert ip [5.164.247.4,5.165.33.31,5.167.155.131,5.172.146.219,5.186.143.227,5.187.48.62,5.187.49.158,5.189.132.79,5.189.138.9,5.189.139.38] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 420"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522838; rev:3093;)
alert ip [5.189.140.21,5.189.142.118,5.189.143.28,5.189.150.139,5.189.153.185,5.189.159.21,5.189.164.230,5.189.169.190,5.189.181.61,5.189.183.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 421"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522840; rev:3093;)
alert ip [5.19.162.103,5.19.184.37,5.19.204.140,51.9.208.170,5.196.20.5,5.196.20.85,5.196.222.56,5.196.23.64,5.196.239.114,5.196.26.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 422"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522842; rev:3093;)
alert ip [5.196.29.217,5.196.58.96,5.196.71.24,5.196.72.233,5.196.88.122,5.199.133.193,5.199.142.112,5.199.142.236,5.199.167.207,5.200.23.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 423"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522844; rev:3093;)
alert ip [5.206.225.118,52.10.125.140,52.165.217.243,52.169.10.90,52.173.146.98,52.183.47.155,52.208.34.152,52.209.187.176,52.210.94.70,52.214.216.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 424"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522846; rev:3093;)
alert ip [52.215.92.62,52.242.26.186,52.27.7.31,5.228.12.221,5.230.145.65,52.35.11.2,52.36.85.58,52.39.6.26,52.42.94.200,52.48.130.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 425"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522848; rev:3093;)
alert ip [5.249.145.164,5.249.149.153,5.249.159.198,5.249.159.209,52.51.121.89,5.2.54.152,5.255.61.130,5.255.82.75,5.255.86.131,5.255.90.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 426"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522850; rev:3093;)
alert ip [52.56.124.204,52.59.252.78,52.60.215.15,52.63.134.148,52.66.117.126,52.66.79.102,52.6.9.146,5.2.70.162,5.2.73.217,5.2.74.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 427"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522852; rev:3093;)
alert ip [5.2.75.42,5.28.106.163,52.90.84.21,5.29.115.159,52.91.227.251,5.34.180.231,5.34.183.205,5.39.218.131,5.39.33.176,5.39.33.178] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 428"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522854; rev:3093;)
alert ip [5.39.64.7,5.39.77.208,5.39.80.135,5.39.80.28,5.39.81.102,5.39.82.192,5.39.83.217,5.39.83.27,5.39.86.206,5.39.89.124] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 429"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522856; rev:3093;)
alert ip [5.39.91.86,5.39.92.199,5.39.94.169,5.39.95.142,54.153.249.26,54.179.98.204,54.187.239.16,54.201.201.93,54.202.82.18,54.218.172.0] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 430"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522858; rev:3093;)
alert ip [54.233.155.67,54.241.9.145,54.244.208.214,54.245.9.252,54.36.38.63,5.44.101.190,5.45.100.22,5.45.107.56,5.45.108.48,5.45.109.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 431"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522860; rev:3093;)
alert ip [5.45.111.145,5.45.97.127,54.71.227.111,54.86.232.140,54.88.165.229,54.92.68.99,54.94.154.154,54.94.85.201,5.51.106.108,5.51.204.241] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 432"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522862; rev:3093;)
alert ip [5.57.243.84,5.61.239.34,5.61.34.63,5.79.74.220,5.79.75.37,5.79.86.15,58.176.161.172,5.8.54.12,5.8.54.27,58.93.43.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 433"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522864; rev:3093;)
alert ip [58.96.66.25,5.9.102.198,5.9.110.236,5.9.112.137,5.9.121.207,5.9.121.79,5.9.121.87,5.9.122.110,5.9.129.218,5.9.140.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 434"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522866; rev:3093;)
alert ip [5.9.142.76,5.9.147.226,5.9.149.100,5.9.149.55,5.9.149.70,5.9.150.40,5.9.153.114,5.9.156.17,5.9.171.38,5.9.181.162] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 435"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522868; rev:3093;)
alert ip [5.9.188.182,5.9.191.52,5.9.212.204,5.9.239.228,5.9.253.234,5.9.25.79,5.9.39.113,5.9.40.121,5.9.43.3,5.9.50.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 436"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522870; rev:3093;)
alert ip [5.9.56.12,5.9.58.137,5.9.61.207,5.9.62.17,5.9.7.130,5.9.79.142,5.9.79.154,5.9.81.41,5.9.83.204,5.9.88.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 437"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522872; rev:3093;)
alert ip [5.9.98.43,60.112.213.201,60.225.57.95,60.234.102.113,60.48.251.22,61.68.248.113,61.68.41.40,61.68.46.18,62.102.148.172,62.103.152.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 438"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522874; rev:3093;)
alert ip [62.103.152.219,62.103.152.227,62.103.152.228,62.108.196.73,62.109.20.48,62.109.4.115,62.113.216.173,62.113.216.177,62.113.227.124,62.113.241.182] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 439"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522876; rev:3093;)
alert ip [62.113.241.207,62.113.254.114,62.12.115.107,62.138.10.60,62.138.10.61,62.138.10.62,62.138.7.171,62.138.7.231,62.141.36.150,62.141.48.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 440"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522878; rev:3093;)
alert ip [62.141.51.90,62.141.52.185,62.141.54.86,62.143.28.23,62.149.2.188,62.152.43.203,62.157.77.139,62.167.72.32,62.168.3.212,62.173.154.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 441"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522880; rev:3093;)
alert ip [62.176.239.229,62.180.109.11,62.194.12.77,62.194.76.2,62.197.207.182,62.199.169.123,62.210.105.47,62.210.107.86,62.210.109.48,62.210.123.24] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 442"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522882; rev:3093;)
alert ip [62.210.125.130,62.210.132.56,62.210.137.230,62.210.138.3,62.210.170.143,62.210.180.21,62.210.190.5,62.210.203.90,62.210.206.159,62.210.206.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 443"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522884; rev:3093;)
alert ip [62.210.206.53,62.210.213.17,62.210.217.207,62.210.244.146,62.210.24.46,62.210.247.178,62.210.254.132,62.210.36.16,62.210.36.46,62.210.69.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 444"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522886; rev:3093;)
alert ip [62.210.69.236,62.210.74.110,62.210.75.84,62.210.76.88,62.210.82.244,62.210.84.34,62.210.90.164,62.210.90.75,62.210.92.11,62.210.93.142] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 445"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522888; rev:3093;)
alert ip [62.212.72.243,62.213.214.207,62.214.6.61,62.216.5.120,62.216.54.29,62.217.124.253,62.219.182.42,62.219.46.133,62.220.148.87,62.220.148.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 446"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522890; rev:3093;)
alert ip [62.224.109.251,62.224.67.233,62.235.105.147,62.242.177.175,62.245.57.78,62.249.170.186,62.251.50.232,62.251.89.74,62.37.150.20,62.4.15.84] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522892; rev:3093;)
alert ip [62.6.132.155,62.64.191.92,62.65.107.36,62.68.14.206,62.72.82.222,62.75.147.82,62.75.203.76,62.75.255.37,62.78.245.129,64.137.144.195] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 448"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522894; rev:3093;)
alert ip [64.137.162.93,64.137.163.132,64.137.166.21,64.137.181.8,64.137.191.74,64.137.193.88,64.137.193.91,64.137.193.92,64.137.195.214,64.137.203.62] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 449"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522896; rev:3093;)
alert ip [64.137.212.51,64.137.220.124,64.137.227.206,64.137.230.59,64.137.240.201,64.137.242.125,64.137.243.27,64.137.243.67,64.137.247.191,64.137.249.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 450"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522898; rev:3093;)
alert ip [64.178.138.94,64.228.188.98,64.237.51.46,64.33.179.214,64.91.6.244,64.94.238.142,65.102.134.108,65.183.146.221,65.183.218.89,65.19.167.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 451"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522900; rev:3093;)
alert ip [65.19.167.134,65.19.178.177,65.19.178.241,65.24.56.15,65.50.203.5,65.94.17.75,66.111.2.20,66.111.2.34,66.111.62.85,66.148.116.90] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522902; rev:3093;)
alert ip [66.170.11.203,66.172.12.174,66.175.217.78,66.175.221.24,66.175.223.145,66.186.230.154,66.191.220.212,66.215.142.69,66.228.39.82,66.228.39.83] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 453"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522904; rev:3093;)
alert ip [66.228.51.186,66.234.218.247,66.235.24.122,66.240.174.9,66.242.92.203,66.246.75.167,66.24.84.54,66.55.215.216,66.55.64.181,66.55.67.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522906; rev:3093;)
alert ip [66.70.211.20,66.90.101.117,67.10.7.28,67.160.203.232,67.162.129.215,67.162.205.205,67.165.240.50,67.170.176.90,67.180.116.128,67.186.115.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 455"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522908; rev:3093;)
alert ip [67.188.115.214,67.205.128.47,67.205.130.27,67.205.137.40,67.207.83.202,67.22.162.61,67.227.198.183,67.227.240.79,67.241.73.26,67.249.138.113] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 456"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522910; rev:3093;)
alert ip [67.254.247.220,67.2.57.141,67.43.0.209,68.102.158.81,68.104.222.58,68.105.130.111,68.112.152.187,68.118.104.181,68.129.4.212,68.148.246.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 457"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522912; rev:3093;)
alert ip [68.151.164.43,68.168.108.152,68.172.40.110,68.174.152.193,68.196.189.216,68.201.5.172,68.203.1.218,68.203.91.245,68.206.20.134,68.2.206.4] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 458"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522914; rev:3093;)
alert ip [68.224.246.169,68.224.252.210,68.230.137.166,68.231.202.157,68.42.193.252,68.61.169.59,68.69.166.68,68.8.163.148,68.82.19.43,68.83.2.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 459"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522916; rev:3093;)
alert ip [69.115.102.229,69.115.145.16,69.11.9.116,69.136.179.201,69.138.251.81,69.143.186.130,69.156.146.183,69.16.137.20,69.162.107.5,69.163.35.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 460"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522918; rev:3093;)
alert ip [69.164.195.92,69.164.198.32,69.164.210.140,69.164.210.142,69.164.211.18,69.164.212.180,69.164.214.250,69.164.216.230,69.164.216.82,69.164.221.153] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 461"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522920; rev:3093;)
alert ip [69.164.221.65,69.164.221.78,69.172.169.175,69.174.176.16,69.181.73.164,69.193.72.100,69.202.208.57,69.251.207.212,69.28.82.48,69.30.215.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 462"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522922; rev:3093;)
alert ip [69.30.218.186,69.61.35.184,69.62.162.178,69.64.46.27,69.84.70.38,69.85.115.246,69.85.92.224,69.90.132.10,69.90.132.11,69.90.132.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 463"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522924; rev:3093;)
alert ip [69.90.151.229,69.93.127.57,69.93.99.14,70.115.155.92,70.119.125.160,70.124.157.109,70.160.231.36,70.164.197.204,70.173.177.224,70.187.153.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 464"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522926; rev:3093;)
alert ip [70.38.31.121,70.59.88.17,70.63.170.86,70.67.185.41,70.78.109.149,70.79.195.48,70.92.77.22,70.95.78.84,71.10.114.10,71.125.33.223] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 465"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522928; rev:3093;)
alert ip [71.14.188.3,71.161.106.188,71.165.151.35,71.172.62.72,71.19.144.184,71.19.149.21,71.19.154.138,71.19.155.187,71.19.157.127,71.19.157.213] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 466"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522930; rev:3093;)
alert ip [71.191.89.250,71.202.232.139,71.202.61.123,71.204.171.134,71.204.188.148,71.238.214.21,71.245.80.14,71.248.178.98,71.39.169.105,71.54.138.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522932; rev:3093;)
alert ip [71.57.153.248,71.82.236.51,71.8.59.240,71.86.238.225,72.11.61.169,72.11.62.32,72.12.96.84,72.14.177.164,72.14.183.14,72.14.190.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 468"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522934; rev:3093;)
alert ip [72.174.129.181,72.174.70.108,72.179.146.98,72.197.6.110,72.234.155.136,72.238.131.236,72.38.1.135,72.42.158.117,72.46.49.24,72.5.72.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 469"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522936; rev:3093;)
alert ip [72.66.111.33,72.69.168.215,72.83.36.237,73.110.152.214,73.146.11.203,73.153.100.155,73.158.169.40,73.160.247.47,73.168.232.114,73.170.141.73] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522938; rev:3093;)
alert ip [73.170.159.10,73.176.222.34,73.193.242.57,73.197.11.4,73.201.115.116,73.201.16.196,73.202.4.42,73.225.68.25,73.233.243.74,73.24.36.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 471"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522940; rev:3093;)
alert ip [73.245.139.113,73.246.41.113,73.25.143.5,73.252.227.171,73.254.86.153,73.40.36.170,73.43.58.31,73.45.37.75,73.58.226.233,73.89.148.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 472"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522942; rev:3093;)
alert ip [73.89.87.77,74.103.247.168,74.115.25.12,74.116.186.120,74.121.182.206,74.139.147.78,74.140.170.197,74.207.231.186,74.207.236.197,74.207.237.44] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 473"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522944; rev:3093;)
alert ip [74.207.242.7,74.208.220.222,74.208.234.191,74.208.247.181,74.208.78.130,74.221.46.242,74.222.20.106,74.57.235.186,74.71.234.81,74.86.24.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 474"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522946; rev:3093;)
alert ip [74.88.96.7,74.91.21.2,75.119.251.14,75.127.15.73,75.127.96.101,75.134.154.177,75.135.123.77,75.144.22.203,75.155.22.50,75.161.120.237] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 475"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522948; rev:3093;)
alert ip [75.166.226.179,75.169.5.197,75.176.45.87,75.182.207.22,75.182.90.20,75.87.191.70,76.10.157.58,76.102.13.241,76.105.231.45,76.118.18.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 476"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522950; rev:3093;)
alert ip [76.119.135.44,76.12.219.104,76.126.253.76,76.127.209.65,76.14.112.233,76.167.215.227,76.182.208.232,76.19.132.163,76.217.12.234,76.244.38.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522952; rev:3093;)
alert ip [76.244.39.154,76.251.164.153,76.255.206.36,76.26.203.243,76.73.234.173,76.85.96.65,76.98.28.62,77.102.174.224,77.102.66.183,77.120.122.102] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 478"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522954; rev:3093;)
alert ip [77.120.122.131,77.120.94.233,77.129.60.166,77.139.132.109,77.140.150.239,77.140.201.83,77.140.93.127,77.148.42.134,77.161.34.157,77.166.206.198] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 479"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522956; rev:3093;)
alert ip [77.170.230.163,77.174.168.42,77.177.30.182,77.178.71.4,77.179.213.231,77.180.116.249,77.180.119.47,77.180.40.15,77.181.119.74,77.185.251.42] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 480"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522958; rev:3093;)
alert ip [77.187.165.8,77.198.99.139,77.20.129.236,77.203.13.57,77.21.150.101,77.21.35.84,77.2.186.111,77.23.37.2,77.23.56.30,77.238.69.216] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 481"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522960; rev:3093;)
alert ip [77.243.191.50,77.244.37.157,77.246.163.142,77.246.193.59,77.248.157.83,77.250.55.228,77.251.239.123,77.27.140.228,77.37.142.179,77.37.160.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 482"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522962; rev:3093;)
alert ip [77.37.162.132,77.37.218.145,77.43.219.246,77.47.119.55,77.47.40.159,77.47.47.126,77.48.73.246,77.56.224.131,77.57.114.44,77.57.126.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 483"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522964; rev:3093;)
alert ip [77.64.230.73,77.66.12.185,77.68.11.42,77.68.42.132,77.70.5.60,77.70.63.220,77.72.150.150,77.73.64.51,77.73.67.139,77.74.96.43] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 484"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522966; rev:3093;)
alert ip [77.75.166.43,77.78.163.128,77.7.96.234,77.81.104.124,77.87.49.6,77.87.50.6,77.94.116.249,78.107.239.213,78.108.77.86,78.109.23.1] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522968; rev:3093;)
alert ip [78.118.163.95,78.120.51.57,78.124.107.98,78.130.128.106,78.130.195.135,78.13.71.147,78.142.140.242,78.142.145.141,78.142.19.11,78.142.19.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 486"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522970; rev:3093;)
alert ip [78.142.19.226,78.156.110.135,78.156.114.237,78.156.117.236,78.192.124.148,78.192.89.9,78.193.140.4,78.193.218.97,78.193.40.205,78.193.40.254] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 487"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522972; rev:3093;)
alert ip [78.194.220.54,78.194.2.61,78.194.37.29,78.200.39.175,78.213.146.86,78.215.220.29,78.219.4.95,78.24.75.53,78.247.96.188,78.27.109.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 488"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522974; rev:3093;)
alert ip [78.34.249.163,78.34.65.120,78.35.204.169,78.35.56.203,78.36.44.54,78.43.30.83,78.43.32.13,78.43.34.2,78.46.112.219,78.46.127.239] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 489"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522976; rev:3093;)
alert ip [78.46.139.153,78.46.139.182,78.46.141.74,78.46.145.58,78.46.151.11,78.46.162.123,78.46.185.124,78.46.189.152,78.46.193.41,78.46.203.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 490"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522978; rev:3093;)
alert ip [78.46.209.112,78.46.220.130,78.46.221.48,78.46.223.134,78.46.233.214,78.46.239.183,78.46.247.36,78.46.249.71,78.46.253.198,78.46.37.25] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 491"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522980; rev:3093;)
alert ip [78.46.37.26,78.46.38.250,78.46.44.222,78.46.45.242,78.46.51.124,78.46.53.11,78.46.60.30,78.46.64.245,78.46.82.123,78.46.90.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 492"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522982; rev:3093;)
alert ip [78.46.95.20,78.46.99.169,78.47.117.28,78.47.134.195,78.47.134.196,78.47.142.211,78.47.158.122,78.47.162.163,78.47.167.67,78.47.174.155] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 493"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522984; rev:3093;)
alert ip [78.47.176.74,78.47.18.110,78.47.221.71,78.47.224.202,78.47.224.219,78.47.229.107,78.47.239.80,78.47.35.35,78.47.61.129,78.47.61.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 494"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522986; rev:3093;)
alert ip [78.47.70.123,78.47.9.21,78.47.98.200,78.49.109.5,78.49.115.119,78.49.9.91,78.50.161.130,78.51.79.138,78.52.105.103,78.53.55.15] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 495"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522988; rev:3093;)
alert ip [78.55.15.45,78.55.194.217,78.55.80.168,78.56.124.16,78.56.40.22,78.84.251.67,78.90.15.229,78.90.227.228,78.94.141.202,78.94.186.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 496"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522990; rev:3093;)
alert ip [78.94.74.236,78.94.92.170,79.111.0.58,79.111.23.100,79.120.10.98,79.120.41.147,79.120.85.102,79.124.58.78,79.124.60.246,79.124.7.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 497"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522992; rev:3093;)
alert ip [79.132.85.150,79.133.210.11,79.136.153.114,79.136.39.109,79.136.43.29,79.136.70.125,79.136.70.93,79.137.106.154,79.137.112.4,79.137.112.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 498"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522994; rev:3093;)
alert ip [79.137.116.43,79.137.33.131,79.137.33.24,79.137.35.149,79.137.39.39,79.137.70.81,79.140.41.117,79.140.41.118,79.140.41.13,79.143.178.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 499"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522996; rev:3093;)
alert ip [79.143.183.44,79.143.186.17,79.143.191.22,79.161.248.2,79.172.18.18,79.172.193.32,79.172.204.36,79.172.28.205,79.194.172.217,79.194.87.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 500"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522998; rev:3093;)
alert ip [79.194.94.47,79.195.91.6,79.196.254.35,79.205.62.110,79.208.139.197,79.210.105.152,79.211.250.142,79.215.237.119,79.217.46.88,79.217.94.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523000; rev:3093;)
alert ip [79.218.71.143,79.219.217.191,79.225.88.54,79.226.48.28,79.227.188.114,79.231.218.192,79.232.209.58,79.232.88.62,79.233.223.52,79.234.191.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 502"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523002; rev:3093;)
alert ip [79.237.12.160,79.240.236.253,79.243.104.218,79.247.169.250,79.250.140.151,79.251.253.10,79.252.118.111,79.252.207.114,79.253.74.57,79.30.186.6] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 503"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523004; rev:3093;)
alert ip [79.98.104.68,79.98.105.18,79.98.108.57,79.98.220.119,80.100.206.150,80.100.250.244,80.100.44.12,80.108.195.250,80.109.112.130,80.109.127.173] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 504"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523006; rev:3093;)
alert ip [80.119.137.65,80.127.107.154,80.127.107.179,80.127.117.180,80.127.118.93,80.127.137.14,80.127.137.19,80.127.151.162,80.127.152.4,80.128.158.85] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 505"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523008; rev:3093;)
alert ip [80.12.94.184,80.130.35.112,80.131.139.4,80.131.250.156,80.132.187.84,80.135.188.23,80.137.64.222,80.140.45.226,80.143.170.167,80.144.48.145] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 506"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523010; rev:3093;)
alert ip [80.147.33.157,80.169.241.76,80.186.207.144,80.195.23.109,80.203.137.23,80.209.253.48,80.218.186.191,80.218.245.212,80.218.37.232,80.219.119.133] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523012; rev:3093;)
alert ip [80.219.136.45,80.220.89.55,80.223.174.207,80.229.140.239,80.229.152.228,80.232.242.31,80.233.134.147,80.233.134.149,80.237.231.134,80.238.105.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 508"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523014; rev:3093;)
alert ip [80.240.216.253,80.241.213.87,80.241.220.57,80.241.222.169,80.243.104.182,80.244.241.254,80.244.243.158,80.248.208.131,80.252.24.116,80.255.0.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 509"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523016; rev:3093;)
alert ip [80.255.6.11,80.255.6.92,80.56.77.242,80.60.245.234,80.64.65.25,80.66.135.123,80.68.92.249,80.71.133.119,80.73.242.142,80.7.54.187] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 510"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523018; rev:3093;)
alert ip [80.81.12.29,80.81.17.31,80.81.243.27,80.85.84.222,80.85.84.72,80.90.250.69,80.99.48.193,81.0.226.3,81.102.219.11,81.103.36.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 511"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523020; rev:3093;)
alert ip [81.105.101.129,81.108.197.189,81.132.255.225,81.141.6.226,81.143.236.158,81.165.85.244,81.166.86.51,81.169.130.214,81.169.136.206,81.169.138.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 512"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523022; rev:3093;)
alert ip [81.169.141.222,81.169.152.100,81.169.166.74,81.169.175.164,81.169.211.90,81.169.222.158,81.169.243.74,81.169.246.204,81.169.248.93,81.170.148.194] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 513"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523024; rev:3093;)
alert ip [81.170.217.242,81.171.19.175,81.17.16.43,81.17.17.130,81.17.17.131,81.17.30.33,81.17.30.44,81.17.30.48,81.174.151.215,81.174.156.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 514"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523026; rev:3093;)
alert ip [81.174.231.18,81.177.22.73,81.182.31.72,81.189.17.180,81.19.3.71,81.193.75.91,81.197.116.202,81.200.59.162,81.218.109.195,81.218.138.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 515"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523028; rev:3093;)
alert ip [81.218.91.154,81.2.197.33,81.2.209.10,81.221.144.163,81.22.255.146,81.2.237.218,81.225.209.79,81.2.254.143,81.227.128.7,81.228.192.157] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 516"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523030; rev:3093;)
alert ip [81.228.199.75,81.230.166.145,81.233.10.199,81.236.177.247,81.241.121.149,81.245.124.251,81.249.244.44,81.25.54.131,81.30.158.213,81.30.158.81] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 517"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523032; rev:3093;)
alert ip [81.35.215.194,81.4.109.47,81.4.121.48,81.43.149.140,81.56.192.231,81.56.96.154,81.57.208.135,81.67.45.173,81.7.10.193,81.7.10.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 518"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523034; rev:3093;)
alert ip [81.7.10.29,81.7.10.93,81.7.11.142,81.7.11.154,81.7.11.186,81.7.11.22,81.7.11.253,81.7.11.33,81.7.11.38,81.7.11.70] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 519"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523036; rev:3093;)
alert ip [81.7.11.96,81.7.13.248,81.7.13.84,81.7.14.253,81.7.14.31,81.7.16.139,81.7.16.177,81.7.16.18,81.7.16.182,81.7.16.59] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 520"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523038; rev:3093;)
alert ip [81.7.18.84,81.7.19.110,81.7.3.67,81.82.204.148,81.89.63.150,81.95.13.55,81.95.52.68,81.97.143.247,82.102.142.210,82.103.140.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 521"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523040; rev:3093;)
alert ip [82.116.120.3,82.118.17.122,82.118.17.137,82.118.17.235,82.118.242.124,82.118.242.126,82.118.242.128,82.118.242.147,82.118.242.173,82.119.233.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 522"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523042; rev:3093;)
alert ip [82.130.11.148,82.131.107.121,82.131.107.240,82.135.88.37,82.141.39.114,82.146.47.17,82.161.182.20,82.161.210.87,82.161.212.209,82.161.214.117] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 523"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523044; rev:3093;)
alert ip [82.161.50.30,82.165.142.79,82.165.148.163,82.169.80.71,82.181.116.199,82.181.238.144,82.192.250.215,82.192.80.194,82.194.170.30,82.196.11.10] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 524"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523046; rev:3093;)
alert ip [82.196.14.142,82.196.3.85,82.196.6.199,82.196.7.26,82.196.96.127,82.199.155.89,82.202.193.92,82.202.193.94,82.209.179.225,82.209.68.18] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523048; rev:3093;)
alert ip [82.211.0.180,82.211.0.185,82.211.31.247,82.211.34.97,82.211.60.207,82.211.61.199,82.21.211.29,82.212.221.34,82.213.211.186,82.217.214.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 526"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523050; rev:3093;)
alert ip [82.217.245.7,82.219.9.89,82.221.100.29,82.221.104.108,82.221.105.198,82.221.111.151,82.221.111.187,82.221.128.20,82.221.131.59,82.221.131.9] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 527"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523052; rev:3093;)
alert ip [82.221.139.190,82.223.21.74,82.223.36.196,82.226.140.119,82.227.48.17,82.228.252.20,82.229.138.31,82.229.182.19,82.229.26.235,82.243.133.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 528"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523054; rev:3093;)
alert ip [82.247.103.117,82.247.250.162,82.251.17.70,82.251.33.136,82.27.118.130,82.27.255.3,82.28.190.60,82.38.188.37,82.39.122.197,82.41.10.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 529"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523056; rev:3093;)
alert ip [82.44.203.124,82.44.211.228,82.50.191.96,82.5.42.105,82.64.7.146,82.64.9.116,82.66.140.131,8.26.94.18,82.69.76.35,82.71.246.79] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 530"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523058; rev:3093;)
alert ip [82.71.25.129,82.71.7.191,82.80.33.99,82.80.54.64,82.94.132.34,82.94.204.170,82.94.226.146,82.94.251.227,82.95.100.241,82.95.107.51] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 531"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523060; rev:3093;)
alert ip [82.95.66.203,83.128.173.61,83.134.110.38,83.134.30.70,83.135.106.5,83.135.108.192,83.135.65.74,83.135.66.172,83.143.245.86,83.144.105.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 532"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523062; rev:3093;)
alert ip [83.145.241.231,83.146.231.159,83.149.125.193,83.149.126.139,83.149.20.38,83.149.70.130,83.150.29.178,83.150.59.185,83.150.82.122,83.157.96.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 533"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523064; rev:3093;)
alert ip [83.160.139.183,83.161.249.125,83.162.178.67,83.162.188.100,83.162.199.60,83.162.202.182,83.162.47.26,83.163.201.168,83.163.77.195,83.171.176.227] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 534"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523066; rev:3093;)
alert ip [83.173.198.226,83.175.100.130,83.194.3.100,83.202.164.197,83.212.100.100,83.212.101.60,83.212.102.114,83.212.102.18,83.212.104.124,83.212.105.144] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 535"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523068; rev:3093;)
alert ip [83.212.168.186,83.212.96.120,83.212.96.170,83.212.96.206,83.220.174.128,83.222.144.185,83.226.202.54,83.227.113.24,83.227.84.31,83.227.85.29] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 536"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523070; rev:3093;)
alert ip [83.228.93.76,83.233.213.202,83.233.76.111,83.234.1.41,83.240.14.219,83.248.84.123,83.249.111.190,83.250.10.13,83.251.198.255,83.252.97.5] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 537"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523072; rev:3093;)
alert ip [83.253.136.88,83.254.19.5,83.254.93.78,83.33.79.205,83.37.107.244,83.37.125.244,83.40.159.127,83.55.10.34,83.60.126.121,8.37.14.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 538"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523074; rev:3093;)
alert ip [83.76.91.146,83.85.252.55,83.86.120.4,83.87.163.195,83.97.85.145,84.10.12.74,84.106.234.152,84.107.116.107,84.112.147.73,84.112.41.36] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 539"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523076; rev:3093;)
alert ip [84.114.3.54,84.114.57.193,84.115.197.133,84.115.25.42,84.118.164.156,84.128.105.189,84.130.124.138,84.132.221.14,84.133.3.94,84.133.79.167] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 540"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523078; rev:3093;)
alert ip [84.142.199.143,84.147.44.33,84.154.219.13,84.156.27.127,84.157.130.216,84.157.50.116,84.158.221.123,84.159.89.43,84.160.71.137,84.16.241.89] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 541"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523080; rev:3093;)
alert ip [84.164.218.243,84.168.200.152,84.170.120.107,84.17.21.50,84.173.201.133,84.176.97.168,84.179.218.191,84.180.110.191,84.180.215.81,84.182.191.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 542"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523082; rev:3093;)
alert ip [84.182.57.238,84.187.131.93,84.190.34.220,84.191.36.51,84.19.178.155,84.19.178.79,84.19.179.106,84.19.179.229,84.195.229.182,84.198.103.245] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 543"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523084; rev:3093;)
alert ip [84.200.106.6,84.200.206.99,84.200.77.243,84.200.8.207,84.200.8.33,84.208.170.253,84.209.131.13,84.211.49.30,84.216.252.200,84.219.130.131] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 544"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523086; rev:3093;)
alert ip [84.226.125.7,84.2.34.74,84.236.38.14,84.240.60.234,84.241.65.20,84.244.31.52,84.245.15.253,84.245.25.64,84.245.27.209,84.245.30.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 545"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523088; rev:3093;)
alert ip [84.248.100.7,84.248.120.6,84.248.223.126,84.249.11.195,84.250.184.214,84.250.227.192,84.250.229.213,84.250.39.220,8.42.76.105,84.27.95.53] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 546"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523090; rev:3093;)
alert ip [84.31.70.198,84.38.134.12,84.38.68.90,84.40.112.70,84.44.179.22,84.44.199.57,84.45.76.10,84.45.76.11,84.45.76.12,84.45.76.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 547"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523092; rev:3093;)
alert ip [84.46.45.105,84.46.47.170,84.47.78.125,84.50.177.101,84.52.225.99,84.53.247.169,84.55.82.94,84.57.132.42,84.63.193.31,84.63.245.135] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 548"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523094; rev:3093;)
alert ip [84.73.20.157,84.73.220.65,84.74.101.248,84.74.253.127,84.74.80.210,84.75.179.223,84.75.94.209,84.80.80.69,84.81.140.11,84.92.97.97] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 549"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523096; rev:3093;)
alert ip [84.9.49.106,85.10.113.36,85.10.196.12,85.10.198.236,85.10.201.47,85.10.203.71,85.10.240.250,85.113.226.98,85.113.39.154,85.114.133.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523098; rev:3093;)
alert ip [85.119.82.151,85.119.83.141,85.1.32.115,85.140.184.38,85.14.244.114,85.14.245.175,85.14.249.247,85.144.52.175,85.152.229.51,85.159.211.55] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 551"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523100; rev:3093;)
alert ip [85.159.237.210,85.164.238.48,85.169.111.217,85.17.112.163,85.17.112.32,85.171.173.161,85.17.164.165,85.17.164.172,85.17.194.180,85.17.214.177] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 552"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523102; rev:3093;)
alert ip [85.176.222.176,85.179.90.198,85.180.41.212,85.180.89.64,85.181.54.110,85.183.102.49,85.184.160.128,85.195.207.92,85.195.215.194,85.195.235.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 553"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523104; rev:3093;)
alert ip [85.195.237.134,85.195.237.40,85.195.252.93,85.195.255.205,85.195.82.76,85.197.31.100,85.204.121.218,85.21.144.224,85.21.144.33,85.212.37.127] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 554"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523106; rev:3093;)
alert ip [85.212.60.178,85.212.60.3,85.212.8.191,85.214.101.233,85.214.115.214,85.214.124.168,85.214.128.199,85.214.136.179,85.214.144.127,85.214.144.159] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 555"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523108; rev:3093;)
alert ip [85.214.20.43,85.214.206.219,85.214.212.153,85.214.222.152,85.214.236.207,85.214.44.172,85.214.54.254,85.214.56.180,85.214.58.236,85.214.62.48] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 556"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523110; rev:3093;)
alert ip [85.214.62.94,85.214.69.75,85.214.74.47,85.216.128.76,85.218.19.154,85.218.82.169,85.220.190.246,85.220.42.195,85.222.0.229,85.227.129.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 557"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523112; rev:3093;)
alert ip [85.229.228.174,85.229.37.150,85.229.84.141,85.230.184.93,85.230.21.88,85.23.194.151,85.23.194.153,85.235.225.239,85.235.250.88,85.237.43.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 558"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523114; rev:3093;)
alert ip [85.24.183.236,85.24.188.22,85.244.122.69,85.246.242.197,85.25.111.77,85.25.13.222,85.25.132.5,85.25.133.34,85.25.150.216,85.25.159.253] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 559"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523116; rev:3093;)
alert ip [85.25.159.65,85.25.210.223,85.25.213.211,85.25.248.108,85.25.44.141,85.255.1.158,85.31.186.253,85.5.164.201,85.52.147.46,85.90.247.41] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 560"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523118; rev:3093;)
alert ip [85.93.16.47,85.93.17.143,85.93.217.20,86.103.181.196,86.103.207.103,86.104.15.15,86.105.212.130,86.105.212.204,86.106.137.6,86.107.110.143] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 561"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523120; rev:3093;)
alert ip [86.107.110.254,86.107.110.34,86.107.110.51,86.107.110.82,86.110.117.166,86.115.45.141,86.123.52.188,86.124.38.162,86.142.149.240,86.143.8.47] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 562"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523122; rev:3093;)
alert ip [86.150.235.216,86.164.122.208,86.171.122.38,86.17.252.138,86.174.156.27,86.179.31.216,86.181.198.165,86.19.102.206,86.194.79.171,86.201.56.209] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 563"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523124; rev:3093;)
alert ip [86.215.161.214,86.23.4.224,86.237.8.54,86.239.246.46,86.248.190.6,86.25.228.206,86.253.207.211,86.29.208.115,86.31.40.147,86.3.172.141] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 564"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523126; rev:3093;)
alert ip [86.56.172.235,86.59.119.83,86.59.119.88,86.59.21.163,86.59.21.38,86.7.140.31,86.73.143.244,86.83.122.203,86.86.173.62,86.87.106.215] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 565"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523128; rev:3093;)
alert ip [86.88.32.199,87.100.131.62,87.102.15.216,87.102.172.100,87.106.140.24,87.106.14.159,87.106.145.238,87.106.208.236,87.106.249.118,87.106.59.12] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 566"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523130; rev:3093;)
alert ip [87.118.110.113,87.118.111.27,87.118.112.136,87.118.112.63,87.118.114.134,87.118.116.227,87.118.122.120,87.118.122.201,87.118.126.206,87.118.126.218] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 567"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523132; rev:3093;)
alert ip [87.118.89.28,87.118.94.2,87.120.254.161,87.120.254.204,87.121.98.208,87.121.98.43,87.122.110.161,87.122.110.190,87.122.96.132,87.123.149.181] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 568"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523134; rev:3093;)
alert ip [87.123.35.186,87.128.103.242,87.128.111.190,87.139.33.217,87.140.70.14,87.140.80.53,87.146.194.183,87.148.147.123,87.149.117.13,87.150.13.228] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 569"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523136; rev:3093;)
alert ip [87.151.25.84,87.15.243.146,87.153.102.225,87.157.177.171,87.157.183.223,87.159.56.141,87.163.50.7,87.169.255.104,87.170.157.10,87.172.1.40] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 570"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523138; rev:3093;)
alert ip [87.17.221.66,87.173.60.125,87.174.237.66,87.176.52.57,87.176.54.116,87.177.140.98,87.177.171.142,87.180.36.240,87.181.87.166,87.182.204.132] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 571"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523140; rev:3093;)
alert ip [87.183.239.19,87.184.200.45,87.185.40.120,87.186.43.179,87.187.212.74,87.187.216.139,87.187.218.184,87.187.36.44,87.193.179.238,87.193.208.14] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 572"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523142; rev:3093;)
alert ip [87.205.153.191,87.206.52.43,87.219.93.174,87.230.25.149,87.231.28.173,87.236.194.23,87.236.215.156,87.236.215.83,87.236.27.155,87.254.66.74] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 573"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523144; rev:3093;)
alert ip [87.52.3.33,87.72.197.113,87.72.239.187,87.72.73.231,87.73.84.77,87.78.98.152,87.79.181.31,87.79.79.94,87.79.95.151,87.88.49.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 574"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523146; rev:3093;)
alert ip [87.92.163.24,87.98.180.9,87.98.185.5,87.98.243.150,87.98.245.84,88.109.16.208,88.113.152.171,88.130.97.249,88.130.99.84,88.152.235.180] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 575"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523148; rev:3093;)
alert ip [88.156.10.253,88.156.182.196,88.159.152.177,88.159.164.249,88.159.254.102,88.159.76.202,88.163.244.124,88.165.244.169,88.17.157.204,88.176.12.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523150; rev:3093;)
alert ip [88.180.173.63,88.187.120.90,88.187.233.27,88.188.17.198,88.191.138.57,88.191.212.33,88.193.129.197,88.193.138.181,88.193.200.225,88.198.107.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 577"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523152; rev:3093;)
alert ip [88.198.109.149,88.198.110.194,88.198.119.197,88.198.13.116,88.198.148.255,88.198.164.219,88.198.192.156,88.198.19.4,88.198.194.89,88.198.207.222] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523154; rev:3093;)
alert ip [88.198.44.145,88.198.6.3,88.198.70.137,88.204.112.242,88.208.121.78,88.208.220.123,88.21.232.113,88.217.143.53,88.64.76.6,88.66.247.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 579"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523156; rev:3093;)
alert ip [88.66.85.27,88.67.47.98,88.7.230.172,88.73.134.236,88.74.215.91,88.80.214.189,88.86.102.163,88.91.112.31,88.98.252.234,88.99.104.94] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 580"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523158; rev:3093;)
alert ip [88.99.141.248,88.99.14.92,88.99.162.199,88.99.169.186,88.99.170.243,88.99.172.64,88.99.174.144,88.99.186.21,88.99.189.0,88.99.199.87] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 581"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523160; rev:3093;)
alert ip [88.99.21.163,88.99.21.171,88.99.216.194,88.99.217.110,88.99.2.24,88.99.27.131,88.99.31.186,88.99.35.178,88.99.36.32,88.99.70.107] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 582"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523162; rev:3093;)
alert ip [88.99.90.203,88.99.96.224,89.0.158.33,89.0.53.125,89.100.9.6,89.102.142.167,89.107.155.162,89.111.20.68,89.12.177.229,89.1.28.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 583"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523164; rev:3093;)
alert ip [89.13.225.51,89.13.237.53,89.133.129.147,89.13.44.164,89.13.67.50,89.14.152.171,89.150.174.50,89.16.176.158,89.162.0.126,89.163.141.115] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 584"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523166; rev:3093;)
alert ip [89.163.141.116,89.163.146.41,89.163.210.163,89.163.210.164,89.163.211.42,89.163.216.165,89.163.219.118,89.163.219.27,89.163.224.187,89.163.224.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 585"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523168; rev:3093;)
alert ip [89.163.224.70,89.163.225.115,89.163.225.145,89.163.225.6,89.163.225.7,89.163.242.53,89.163.245.116,89.163.245.181,89.163.245.184,89.163.245.199] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 586"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523170; rev:3093;)
alert ip [89.163.246.127,89.163.246.250,89.163.247.115,89.163.249.200,89.163.249.201,89.166.124.13,89.173.212.31,89.175.27.163,89.176.17.234,89.179.119.165] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523172; rev:3093;)
alert ip [89.18.172.112,89.18.173.41,89.183.209.51,89.187.143.81,89.188.109.210,89.191.217.1,89.207.129.150,89.217.38.172,89.217.96.72,89.22.100.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523174; rev:3093;)
alert ip [89.221.210.122,89.221.210.151,89.223.27.241,89.22.97.193,89.2.29.89,89.23.229.110,89.234.182.176,89.234.186.18,89.236.144.248,89.238.178.122] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 589"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523176; rev:3093;)
alert ip [89.238.178.123,89.238.178.238,89.238.66.240,89.244.173.134,89.244.205.159,89.245.104.57,89.247.11.173,89.247.199.126,89.247.202.92,89.247.47.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 590"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523178; rev:3093;)
alert ip [89.247.61.188,89.247.6.83,89.248.170.227,89.249.65.6,89.33.246.114,89.33.6.24,89.34.237.13,89.34.237.21,89.34.237.230,89.35.134.154] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 591"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523180; rev:3093;)
alert ip [89.35.178.104,89.35.29.19,89.35.29.26,89.35.39.108,89.3.76.94,89.39.67.33,89.40.116.223,89.40.119.43,89.40.125.73,89.40.126.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 592"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523182; rev:3093;)
alert ip [89.45.67.137,89.46.100.162,89.46.100.71,89.46.222.254,89.46.70.98,89.67.100.248,89.71.161.30,89.73.57.178,89.82.171.44,89.89.43.96] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 593"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523184; rev:3093;)
alert ip [90.146.141.214,90.155.76.242,90.184.239.156,90.215.206.6,90.224.9.202,90.225.80.159,90.228.240.43,90.230.158.145,90.254.70.1,90.34.208.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 594"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523186; rev:3093;)
alert ip [90.3.4.65,90.45.213.132,90.65.63.146,90.79.101.154,90.79.169.1,90.87.129.49,90.90.170.255,90.92.136.122,91.100.103.196,91.105.203.92] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 595"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523188; rev:3093;)
alert ip [91.106.170.116,91.106.172.58,91.106.193.118,91.109.29.241,91.121.109.209,91.121.116.34,91.121.1.20,91.121.147.65,91.121.154.109,91.121.155.33] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 596"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523190; rev:3093;)
alert ip [91.121.158.17,91.121.160.215,91.121.160.6,91.121.166.152,91.121.16.67,91.121.177.171,91.121.183.178,91.121.192.154,91.121.195.169,91.121.205.56] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 597"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523192; rev:3093;)
alert ip [91.121.218.189,91.121.224.10,91.121.230.208,91.121.230.212,91.121.230.214,91.121.230.216,91.121.230.218,91.121.23.100,91.121.28.66,91.121.67.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 598"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523194; rev:3093;)
alert ip [91.121.73.223,91.121.76.175,91.121.78.119,91.121.79.188,91.121.82.25,91.121.83.108,91.121.84.137,91.121.85.130,91.121.89.201,91.121.98.58] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 599"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523196; rev:3093;)
alert ip [91.122.100.13,91.122.31.175,91.122.46.175,91.122.47.234,91.122.52.237,91.123.24.138,91.124.27.210,91.126.45.228,91.130.33.90,91.134.131.128] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 600"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523198; rev:3093;)
alert ip [91.134.133.88,91.134.135.12,91.134.137.99,91.134.140.21,91.134.180.240,91.134.217.18,91.134.237.118,91.136.164.146,91.138.71.236,91.143.80.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 601"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523200; rev:3093;)
alert ip [91.143.91.142,91.143.93.29,91.145.118.93,91.146.122.45,91.155.183.84,91.155.228.254,91.16.120.166,91.16.12.249,91.16.71.63,91.176.189.201] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 602"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523202; rev:3093;)
alert ip [91.176.51.65,91.17.82.134,91.18.230.84,91.186.57.78,91.18.81.173,91.188.125.128,91.190.234.66,91.19.232.150,91.194.90.103,91.198.212.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523204; rev:3093;)
alert ip [91.200.13.76,91.200.162.25,91.200.162.9,91.203.138.58,91.203.146.126,91.203.147.165,91.203.5.146,91.203.5.165,91.205.173.82,91.205.89.126] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 604"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523206; rev:3093;)
alert ip [91.210.104.91,91.210.106.134,91.211.107.172,91.211.247.112,91.211.247.71,91.213.233.107,91.213.233.138,91.213.233.194,91.213.233.60,91.213.8.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 605"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523208; rev:3093;)
alert ip [91.213.8.89,91.214.169.69,91.218.112.34,91.2.18.68,91.219.236.250,91.219.237.117,91.219.237.154,91.219.237.19,91.219.238.112,91.219.238.221] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 606"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523210; rev:3093;)
alert ip [91.219.238.224,91.219.239.121,91.219.239.92,91.219.28.211,91.219.28.85,91.219.28.99,91.219.29.157,91.219.29.188,91.219.29.238,91.220.145.100] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 607"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523212; rev:3093;)
alert ip [91.220.220.5,91.221.119.33,91.221.66.21,91.221.66.220,91.224.149.33,91.224.156.117,91.22.57.79,91.226.212.67,91.228.52.186,91.228.53.86] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 608"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523214; rev:3093;)
alert ip [91.229.20.27,91.229.76.124,91.231.86.101,91.231.86.204,91.233.106.237,91.233.116.119,91.233.116.51,91.233.133.244,91.236.116.36,91.236.116.7] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 609"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523216; rev:3093;)
alert ip [91.236.116.8,91.236.116.87,91.236.116.88,91.236.239.135,91.236.239.140,91.236.251.42,91.236.251.72,91.237.244.62,91.237.247.62,91.237.52.170] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 610"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523218; rev:3093;)
alert ip [91.237.88.108,91.239.232.81,91.240.229.195,91.247.251.26,91.248.53.93,91.250.100.7,91.250.84.156,91.34.243.67,91.37.97.140,91.39.101.21] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 611"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523220; rev:3093;)
alert ip [91.40.39.184,91.45.230.139,91.46.61.152,91.49.132.129,91.49.140.172,91.49.45.62,91.49.51.27,91.50.170.219,91.50.246.218,91.51.107.69] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 612"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523222; rev:3093;)
alert ip [91.51.134.4,91.54.179.239,91.54.201.162,91.62.254.228,91.63.50.152,91.64.27.10,91.64.51.214,91.65.105.24,91.65.134.181,91.65.191.101] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 613"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523224; rev:3093;)
alert ip [91.65.61.217,91.66.76.145,91.69.192.38,91.7.58.246,91.77.252.217,91.79.27.85,91.8.214.141,91.90.166.69,91.9.202.182,91.92.115.202] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 614"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523226; rev:3093;)
alert ip [91.9.216.25,91.96.2.188,91.97.3.133,92.104.238.109,92.111.4.177,92.151.189.187,92.167.38.82,92.169.22.209,92.169.48.59,92.177.28.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 615"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523228; rev:3093;)
alert ip [92.191.127.225,92.191.202.80,92.194.213.142,92.200.11.177,92.201.106.193,92.201.58.171,92.204.82.227,92.206.26.29,92.211.43.219,92.220.233.230] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 616"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523230; rev:3093;)
alert ip [92.220.40.210,92.222.115.28,92.222.162.54,92.222.180.10,92.222.181.104,92.222.181.123,92.222.207.227,92.222.22.113,92.222.22.37,92.222.22.91] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 617"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523232; rev:3093;)
alert ip [92.222.24.63,92.222.26.216,92.222.39.183,92.222.39.196,92.222.4.102,92.222.69.173,92.222.74.203,92.222.9.53,92.223.105.32,92.223.72.168] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 618"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523234; rev:3093;)
alert ip [92.226.164.131,92.243.0.179,92.243.30.208,92.243.69.105,92.247.51.169,92.249.143.119,92.255.176.138,92.255.207.89,92.27.7.209,92.39.246.45] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 619"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523236; rev:3093;)
alert ip [92.43.29.220,92.5.217.154,92.52.32.77,92.55.0.224,92.62.46.190,92.63.174.36,92.63.174.71,92.75.240.25,92.77.131.143,92.90.196.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 620"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523238; rev:3093;)
alert ip [93.100.231.62,93.100.237.212,93.104.208.119,93.104.209.158,93.104.209.61,93.104.213.65,93.104.83.158,93.115.241.194,93.115.241.2,93.115.241.50] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 621"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523240; rev:3093;)
alert ip [93.115.29.86,93.115.82.180,93.115.84.143,93.115.91.66,93.115.95.38,93.115.96.15,93.115.97.242,93.123.90.13,93.137.196.134,93.144.157.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 622"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523242; rev:3093;)
alert ip [93.144.207.182,93.152.159.223,93.157.51.22,93.158.216.142,93.170.77.90,93.180.136.43,93.180.154.94,93.180.156.84,93.180.157.154,93.181.102.130] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 623"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523244; rev:3093;)
alert ip [93.184.24.182,93.186.200.68,93.188.161.109,93.188.161.36,93.190.141.115,93.195.42.20,93.198.166.25,93.198.177.109,93.198.177.91,93.200.157.179] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523246; rev:3093;)
alert ip [93.202.182.34,93.202.247.222,93.203.122.229,93.204.19.216,93.205.162.51,93.205.164.158,93.205.168.70,93.206.105.74,93.211.208.22,93.212.72.106] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 625"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523248; rev:3093;)
alert ip [93.215.24.154,93.215.33.5,93.218.105.12,93.218.57.71,93.21.95.172,93.219.95.188,93.220.11.110,93.220.2.212,93.220.76.73,93.225.115.240] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 626"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523250; rev:3093;)
alert ip [93.225.189.24,93.226.250.177,93.227.133.182,93.227.45.40,93.228.169.102,93.228.170.48,93.230.171.235,93.230.27.178,93.231.225.100,93.231.227.11] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 627"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523252; rev:3093;)
alert ip [93.233.108.105,93.237.129.27,93.237.143.17,93.237.145.128,93.238.176.157,93.239.20.192,93.244.1.171,93.244.226.172,93.29.252.27,93.55.225.152] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 628"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523254; rev:3093;)
alert ip [93.58.11.24,93.72.198.81,93.72.89.51,93.73.103.6,93.76.246.35,93.80.95.169,93.89.101.27,93.91.157.42,93.92.203.113,93.92.205.248] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 629"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523256; rev:3093;)
alert ip [93.95.100.138,93.95.100.166,93.95.100.202,93.95.227.245,93.95.228.49,94.100.21.162,94.100.23.18,94.100.23.26,94.100.31.194,94.100.6.23] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 630"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523258; rev:3093;)
alert ip [94.100.6.27,94.112.217.77,94.126.170.165,94.130.10.251,94.130.21.85,94.130.31.206,94.130.32.101,94.130.34.199,94.130.52.205,94.130.58.99] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 631"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523260; rev:3093;)
alert ip [94.130.68.230,94.130.69.171,94.130.79.44,94.132.132.205,94.134.172.71,94.140.120.130,94.140.120.44,94.142.241.138,94.142.245.206,94.14.38.250] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 632"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523262; rev:3093;)
alert ip [94.155.122.185,94.155.49.47,94.156.128.10,94.156.175.120,94.156.175.157,94.156.175.174,94.16.137.7,94.16.173.106,94.176.139.186,94.177.228.80] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523264; rev:3093;)
alert ip [94.177.246.37,94.180.103.5,94.180.91.6,94.181.44.45,94.181.45.237,94.185.90.86,94.19.12.244,94.19.14.183,94.198.100.18,94.198.100.19] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523266; rev:3093;)
alert ip [94.198.68.92,94.198.98.21,94.198.98.35,94.198.98.61,94.198.98.71,94.21.108.113,94.212.20.248,94.214.190.171,94.214.240.71,94.222.19.206] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523268; rev:3093;)
alert ip [94.223.83.204,94.225.100.84,94.226.151.128,94.228.86.11,94.22.93.92,94.230.202.199,94.23.1.164,94.23.13.107,94.23.144.49,94.23.150.210] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523270; rev:3093;)
alert ip [94.23.153.241,94.23.154.36,94.23.168.235,94.23.173.93,94.23.174.26,94.23.17.58,94.23.18.169,94.23.20.28,94.23.203.74,94.23.204.175] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 637"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523272; rev:3093;)
alert ip [94.23.207.40,94.23.212.220,94.23.213.46,94.23.247.125,94.23.247.42,94.23.248.158,94.23.252.71,94.23.27.228,94.23.29.204,94.23.7.161] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 638"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523274; rev:3093;)
alert ip [94.23.78.159,94.23.78.34,94.23.89.90,94.23.9.194,94.241.32.11,94.242.209.121,94.242.209.244,94.242.222.129,94.242.222.176,94.242.222.217] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 639"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523276; rev:3093;)
alert ip [94.242.222.62,94.242.222.66,94.242.228.174,94.242.250.118,94.242.254.91,94.242.255.112,94.242.57.112,94.242.57.164,94.242.58.151,94.242.58.2] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 640"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523278; rev:3093;)
alert ip [94.242.58.233,94.242.59.147,94.242.59.47,94.247.43.246,94.248.21.145,94.252.108.192,94.254.19.150,94.254.35.25,94.254.40.64,94.31.53.203] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523280; rev:3093;)
alert ip [94.60.255.42,94.74.81.113,94.79.137.182,94.79.173.226,95.105.221.15,95.109.122.144,95.111.56.101,95.113.220.3,95.113.254.113,95.129.164.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 642"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523282; rev:3093;)
alert ip [95.130.11.15,95.130.11.186,95.130.11.5,95.130.12.119,95.130.12.12,95.130.9.76,95.133.43.144,95.141.32.76,95.141.35.15,95.141.44.61] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 643"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523284; rev:3093;)
alert ip [95.141.44.66,95.141.46.172,95.141.83.146,95.142.160.233,95.143.172.140,95.143.172.188,95.143.172.212,95.143.172.214,95.143.192.12,95.143.192.35] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523286; rev:3093;)
alert ip [95.143.193.145,95.143.193.19,95.143.193.20,95.146.129.169,95.151.73.17,95.153.31.8,95.153.32.10,95.156.95.8,95.161.4.34,95.165.133.22] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 645"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523288; rev:3093;)
alert ip [95.165.143.112,95.165.166.133,95.169.188.103,95.183.48.40,95.183.50.138,95.183.51.126,95.183.51.160,95.183.52.172,95.183.55.53,95.183.55.64] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 646"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523290; rev:3093;)
alert ip [95.188.94.18,95.211.101.141,95.211.138.51,95.211.138.7,95.211.153.12,95.211.156.164,95.211.160.148,95.211.169.34,95.211.186.80,95.211.205.138] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523292; rev:3093;)
alert ip [95.211.209.73,95.211.210.72,95.211.211.240,95.211.224.12,95.211.225.167,95.211.7.158,95.211.94.113,95.213.11.175,95.213.149.166,95.213.182.28] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 648"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523294; rev:3093;)
alert ip [95.213.207.165,95.215.44.102,95.215.44.105,95.215.44.167,95.215.44.88,95.215.45.138,95.215.45.142,95.215.45.188,95.215.45.236,95.215.46.123] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523296; rev:3093;)
alert ip [95.215.46.69,95.215.47.206,95.215.61.4,95.223.83.22,95.23.149.72,95.27.167.103,95.27.196.229,95.28.56.2,95.31.19.171,95.31.24.146] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 650"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523298; rev:3093;)
alert ip [95.31.38.209,95.33.74.90,95.37.235.44,95.42.126.167,95.57.120.117,95.58.170.163,95.71.126.230,95.71.255.254,95.72.8.104,95.79.229.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 651"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523300; rev:3093;)
alert ip [95.79.96.7,95.80.44.100,95.80.45.74,95.84.164.34,95.84.209.126,95.85.1.113,95.85.19.162,95.85.20.73,95.85.32.10,95.85.34.137] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 652"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523302; rev:3093;)
alert ip [95.85.37.111,95.85.38.152,95.85.8.226,95.86.193.186,95.88.112.11,95.90.178.205,95.91.100.114,95.91.1.149,95.91.38.156,96.126.105.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 653"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523304; rev:3093;)
alert ip [96.126.125.187,96.126.96.9,96.126.96.90,96.18.182.94,96.230.56.58,96.234.163.101,96.239.122.20,96.240.10.123,96.242.253.84,96.248.12.242] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 654"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523306; rev:3093;)
alert ip [96.253.78.108,96.255.206.102,96.35.69.1,96.65.123.249,96.65.68.193,96.68.219.29,96.68.60.77,96.81.131.84,96.92.118.50,96.92.142.205] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 655"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523308; rev:3093;)
alert ip [96.9.242.48,97.107.132.24,97.107.138.68,97.107.139.108,97.107.139.28,97.107.142.234,97.113.14.165,97.86.44.160,97.90.130.111,97.95.35.13] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 656"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523310; rev:3093;)
alert ip [97.99.128.23,98.115.57.155,98.116.98.49,98.193.192.116,98.200.162.245,98.201.49.226,98.206.202.53,98.214.167.61,98.216.134.151,98.217.121.98] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 657"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523312; rev:3093;)
alert ip [98.217.8.51,98.220.250.164,98.233.45.225,98.235.185.167,99.164.139.172,99.225.25.117,99.230.190.118,99.247.229.177,99.248.248.37,99.51.71.220] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 658"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523314; rev:3093;)

15
code/docker/README.md Normal file
View file

@ -0,0 +1,15 @@
## docker
<br>
* **👉🏼 [docker hints and tricks](tricks.md)**
<br>
----
### external resources
<br>
* **[eth docker](https://github.com/eth-educators/eth-docker)**

43
code/docker/tricks.md Normal file
View file

@ -0,0 +1,43 @@
## useful tricks for docker
<br>
#### shared folders
Removing some of the default shared folders can decrease CPU usage (e.g. remove `/Volumes` and `/private`).
Check storage with:
```
docker info |grep Storage
```
<br>
#### performance
In case of performance problems you can run:
```
docker run --rm=true -it --privileged --pid=host \
<image name> /usr/bin/top
```
<br>
#### cleaning up
See disk space:
```
docker system df
```
Remove stopped containers, dangling images, the build cache, and unused networks:
```
docker system prune
```

104
code/gcp/.gitignore vendored Normal file
View file

@ -0,0 +1,104 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/

2
code/gcp/README.md Normal file
View file

@ -0,0 +1,2 @@
## resources on GCP

1704
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining.htm Executable file
View file

File diff suppressed because it is too large Load diff

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/1a1ca1c75bff15ad.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/1c492727805af169.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 106 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/2fa0ccada9d929f0.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 7.7 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/2fca668442685519.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/32331ec60c5f6609.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 212 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/3ac518b975e3eb26.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 501 B

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/3d2672578e8efc6e.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/4cf8b1cc09c73465.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 119 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/5fc020bee71d39f7.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 159 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/77fb532d406a0b90.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/7e8f56804afdc372.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
code/gcp/labs/Leveraging Unstructured Data _ Qwiklabs + roitraining_files/849103afbf5e9178.png Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 117 KiB

Some files were not shown because too many files have changed in this diff Show more